AWS – Key Management Service

AWS – Key Management Service

September 14, 2020 / Eternal Team

What is KMS?

Well, it is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and it uses hardware security modules or HSMs to protect the security of your keys.

There are two types of encryption that AWS provide:

  • Asymmetric encryption
  • Symmetric encryption

As per AWS definition

Symmetric encryption uses the same secret key to perform both the encryption and decryption processes.

Asymmetric encryption, also known as public-key encryption, uses two keys, a public key for encryption and a corresponding private key for decryption. The public key and private key are mathematically related so that when the public key is used for encryption, the corresponding private key must be used for decryption.

Encryption algorithms are either symmetric or asymmetric. And asymmetric encryption support AWS KMS supports the RSASSA_PSS_SHA_256, RSASSA_PSS_SHA_384, RSASSA_PSS_SHA_512, RSASSA_PKCS1_V1_5_SHA_256, RSASSA_PKCS1_V1_5_SHA_384, and RSASSA_PKCS1_V1_5_SHA_512 signing algorithms.

Make sure the size limit for symmetric encryption is 4 Kb

To know more about please refer to this link.

AWS Key Management Service provides a free tier of 20,000 requests/month for 12 months and after that, they take below charges. One concept to keep in mind is that AWS KMS is region-based service. More pricing details can be found at this link.

$0.03 per 10,000 requests
$0.03 per 10,000 requests involving RSA 2048 keys
$0.10 per 10,000 ECC GenerateDataKeyPair requests
$0.15 per 10,000 asymmetric requests except RSA 2048
$12.00 per 10,000 RSA GenerateDataKeyPair requests

What is a custom key store?

The AWS KMS custom key store feature combines the controls provided by AWS CloudHSM with the integration and ease of use of AWS KMS. You can configure your own CloudHSM cluster and authorize AWS KMS to use it as a dedicated key store for your keys rather than the default AWS KMS key store.

What are KMS grants?

Grants are an alternative access control mechanism to using Key Policies and they allow you to programmatically delegate the use of your KMS Customer Master Keys to other AWS principals.

For example

A user in either your own account or in another AWS account, Grants are generally used to provide temporary, granular permissions. So it’s like encrypt, decrypt, re-encrypt, describe key and that’s just a few of them. This only allows you to define access, so you cannot explicitly deny access using a grant.

In short, It provides temporary permissions, for access to the services.

How can we enable the Grants key?

Grants are configured programmatically using the AWS CLI

  • Create grant – you can add permission on CMK, and specify who can use it and also a list of the operation the grantee can perform
  • List grants – you can list the grants
  • Revoke grants -to remove the grants

All this is done so that the grants token will generate and pass to the KMS API.

This is all about AWS KMS and how you can use KMS to store and retrieve your cryptographic keys.


Talk to AWS Certified Consultant

Want to start a project?

It’s simple.

Contact us