September 14, 2020 / Nirav Shah
Well, it is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and it uses hardware security modules or HSMs to protect the security of your keys.
There are two types of encryption that AWS provide:
As per AWS definition
Symmetric encryption uses the same secret key to perform both the encryption and decryption processes.
Asymmetric encryption, also known as public-key encryption, uses two keys, a public key for encryption and a corresponding private key for decryption. The public key and private key are mathematically related so that when the public key is used for encryption, the corresponding private key must be used for decryption.
Encryption algorithms are either symmetric or asymmetric. And asymmetric encryption support AWS KMS supports the RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, and RSASSA_PKCS1_V1_5_SHA_512 signing algorithms.
Make sure the size limit for symmetric encryption is 4 Kb
Learn More About AWS cryptographic services
AWS Key Management Service provides a free tier of 20,000 requests/month for 12 months and after that, they take below charges. One concept to keep in mind is that AWS KMS is region-based service. Learn More About AWS Key Management Service Pricing
$0.03 per 10,000 requests
$0.03 per 10,000 requests involving RSA 2048 keys
$0.10 per 10,000 ECC GenerateDataKeyPair requests
$0.15 per 10,000 asymmetric requests except RSA 2048
$12.00 per 10,000 RSA GenerateDataKeyPair requests
The AWS KMS custom key store feature combines the controls provided by AWS CloudHSM with the integration and ease of use of AWS KMS. You can configure your own CloudHSM cluster and authorize AWS KMS to use it as a dedicated key store for your keys rather than the default AWS KMS key store.
Grants are an alternative access control mechanism to using Key Policies and they allow you to programmatically delegate the use of your KMS Customer Master Keys to other AWS principals.
For example
A user in either your own account or in another AWS account, Grants are generally used to provide temporary, granular permissions. So it’s like encrypt, decrypt, re-encrypt, describe key and that’s just a few of them. This only allows you to define access, so you cannot explicitly deny access using a grant.
In short, It provides temporary permissions, for access to the services.
Grants are configured programmatically using the AWS CLI
All this is done so that the grants token will generate and pass to the KMS API.
This is all about AWS KMS and how you can use KMS to store and retrieve your cryptographic keys.
Also Read – Overview Of AWS Security Hub | Why To Use, Costing
FAQs:
1. What is key management used for?
2. Which task can AWS Key Management Service perform?
3. What algorithm does AWS KMS use?
Nirav Shah is the Director of Eternal Web Pvt Ltd, an AWS Advanced Consulting Partner and certified Odoo Partner based in the UK. With over a decade of experience in cloud computing, digital transformation, and ERP implementation, Nirav helps enterprises adopt the right technology to solve complex business challenges. He specialises in AWS infrastructure, Odoo ERP, and web development solutions for businesses across the UK and beyond.
Have queries about your project idea or concept? Please drop in your project details to discuss with our AWS Global Cloud Infrastructure service specialists and consultants.
