2.1

2.1 Create KMS Keys in Console

Review and ensure that you have setup your development environment before going through the steps below.

Intro to KMS

The cornerstone of everything in this course is the AWS Key Management Service or KMS. With KMS, you can create and manage these keys and then these keys – what are known as customer master keys. There are also some built-in AWS-managed keys for specific services as well – such as S3 and others.

The customer master keys (CMK) then allow you to generate data keys and then with these encrypted data keys, you can encrypt the plain text for any of the services or any of the data that is used by the services that you need to encrypt and supported by KMS.

You can also define fine-grained access to keys using a key policy. You define this policy in JSON to provide permissions to which principals (users, groups, and roles) can use the key, administer the key, and manage the IAM permissions to the key.

The other capability you have is automatic rotation, so you can check a box (or you can automate this as well) to indicate you want annual automatic rotation of a particular key or keys. AWS provides automatic rotation of AWS-managed keys every three years as well.

For fine-grained access to the KMS service itself, you can do that through the AWS Identity and Access Management service – through IAM.

For encryption, AWS has another service called AWS CloudHSM - which is a cloud-based hardware security module. It provides asymmetric encryption and it is single tenant. With asymmetric encryption, it uses different keys for encryption and decryption. It uses the same math but with different keys. Both are FIPS 140-2 compliant. KMS adheres to level 2 of the FIPS 140-2 while CloudHSM adheres to level 3.

Create a Customer Master Key in AWS KMS

1. Go to the KMS Console.
2. Click Customer managed keys and click the Create key button.
3. Enter ceoa-2a-key Alias and a Description and click Next.
4. Click Next on the Add tags page.
5. On the Define key administrative permissions page, select a checkbox next to a user or users who can adminster this key and click Next.
6. On the Define key usage permissions page, select a checkbox next to a user or users who can use this key and click Next.
7. On the Review and edit key policy page, review the JSON policy and click Finish.
8. Make note of the ARN for the KMS key you created.
9. Click on the KMS key you just created (ceoa-2a-key).
10. Click the Key rotation tab.
11. Select the Automatically rotate this CMK every year checkbox and click the Save button.

Disable a KMS CMK

1. Click on the ceoa-2a-key KMS key.
2. Click on the Key actions button.
3. Select Disable from the menu selection.
4. When the window pops up, select the Confirm that you want to disable this key checkbox and then click on the Disable key button.

Schedule a KMS CMK for deletion

1. Click on the ceoa-2a-key KMS key.
2. Click on the Key actions button.
3. Select Schedule key deletion from the menu selection.
4. When the window pops up, enter 7 in the Waiting period (in days) text field.
5. Select the Confirm that you want to delete this key in 7 days checkbox and then click on the Schedule deletion button.

AWS managed keys

1. From the KMS Console, click on the AWS managed keys link.
2. Review the managed keys provided by AWS. You cannot modify these keys and they automatically rotate every three years.

Custom key stores

1. From the KMS Console, click on the Custom key stores link.
2. You can store your KMS customer master keys (CMKs) in a custom key store instead of the standard KMS key store (i.e. not the AWS KMS service). Using a hardware security module (HSM) is the way to manage these keys. AWS CloudHSM is a managed HSM on the AWS Cloud. It provides cost effective hardware key management at cloud scale for sensitive and regulated workloads (e.g. those needing assymetric encryption and single tenant).