KMS Cheat Sheet

This cheat sheet is based on the AWS Certified Developer Associate walk through by Andrew Brown. Originally I wrote down the cheat sheet from his presentation. However, I thought maybe others might have a use for the same cheat sheet in a searchable format. I really encourage you to watch his walk through over at YouTube.

• Key Management Service (KMS) - creates and manages encryption keys for a variety of AWS services or for your apps
• KMS can be used with CloudTrail to audit keys access history
• KMS has the ability to automatically rotate out your keys every year with no need to re-encrypt
• Customer master keys (CMKs) - are the primary resources in KMS
• KMS is a multi tenant HSM. Multi tenant means you are sharing the hardware with multiple customers
• Hardware Security Module (HSM) - is a specialized hardware for storing your keys and is tamper proof
• KMS is up to FIPS 140-2 Level 2 compliant
• KMS stores Master Keys (not data keys)
• Master Keys are used to encrypt data keys which is called Envelope Encryption
• KMS supports two types of keys: symmetric and asymmetric
• Symmetric - is a single key using 256 bit encryption. E.g S3 bucket AES-256
• Asymmetric - uses two keys to encrypt. E.g. key pair with public and private keys
• Important KMS APIs to remember:
• aws kms create-key - creates a key
• aws kms encrypt - encrypts a key
• aws kms decrypt - decrypts a key
• aws kms re-encrypt - re-encrypts a key
• aws kms enable-key-rotation - turn on automatic key rotation (only for symmetric keys)

Credits

Andrew Brown from ExamPro