10 min.

Encryption and appropriate key management in AWS

Simplified overview of encryption and key management in AWS

Encryption and key management in AWS are essential practices for safeguarding sensitive information. These practices involve the use of cryptographic algorithms and keys to protect data both when it is stored (data at rest) and during its transmission (data in transit). The process converts plaintext into ciphertext using encryption algorithms such as AES, making the data unreadable to unauthorized parties.


There are two main types of encryption methods used: symmetric encryption, where the same key is used for both encryption and decryption, and asymmetric encryption, which employs a pair of keys (public and private) for these processes.


Central to AWS's approach to encryption and key management is the AWS Key Management Service (KMS). KMS enables customers to manage their encryption keys across various AWS services like Amazon S3, Elastic Block Store (EBS), and various databases. 


Key management practices in AWS prioritize security and compliance. This involves ensuring that keys are securely stored, only accessed by authorized users, and are rotated or replaced as necessary. Additionally, AWS offers the CloudHSM service, providing a hardware-based solution for generating and managing encryption keys, particularly useful for workloads requiring strict regulatory compliance.



Types of Encryption


In AWS several types of encryption are used to secure data, both at rest and in transit. Understanding these types is crucial for implementing effective data protection strategies in the cloud.


Encryption in Transit


Encryption in transit is focused on securing data while it is being transferred from one location to another. This is crucial for preventing data interception, eavesdropping, or manipulation during transmission



Encryption at Rest


Encryption at rest is about protecting data while it is stored on a disk or a storage medium. This type of encryption is vital for securing sensitive data against unauthorized access in case the storage medium is compromised or accessed by unauthorized individuals.



SSE-S3 (Server-Side Encryption with Amazon S3-Managed Keys)


This method involves Amazon S3 handling the encryption of objects using its own managed keys, providing an encryption solution that is fully managed by Amazon.



SSE-C (Server-Side Encryption with Customer-Provided Keys)


In this approach, customers supply their own encryption keys for encrypting objects in S3. This allows customers to maintain direct control over their encryption keys.



SSE-KMS (Server-Side Encryption with AWS KMS-Managed Keys)


This option utilizes the AWS Key Management Service to generate and handle the encryption keys used for encrypting objects in S3, offering an integrated solution with AWS’s key management capabilities.



Client-Side Encryption


Customers can opt to encrypt data on their own before uploading it to S3. Tools like the Amazon S3 Encryption Client can be used for this purpose, where the customer manages both the encryption process and the encryption keys. This ensures data is encrypted before it even leaves the customer’s environment.



AWS Key Management Service (KMS)


The key component of AWS KMS are keys are used for encrypting, decrypting, and re-encrypting data, as well as generating data keys for use outside AWS KMS. These keys contain important metadata and a reference to the key material used for cryptographic operations. 


AWS KMS ensures the security of the key material, which is generated in AWS's FIPS validated hardware security modules and cannot be exported, with the exception of the public key in asymmetric pairs.



Customer managed keys (CMKs)


Customer managed keys in AWS KMS are keys you create, own, and fully control in your AWS account. You can manage their policies, rotate them, add tags, and schedule deletions. These keys can be used in cryptographic operations and audited in AWS CloudTrail logs, with their usage and management integrated into various AWS services.



AWS manged keys


AWS managed keys are KMS keys created and maintained by AWS services on your behalf, ideal for situations where you don't need to control the encryption key. While you can view and audit these keys in your account and in AWS CloudTrail logs, you can't modify their properties, rotate them, or directly use them in cryptographic operations. 


These keys, identified by aliases like aws/service-name, are automatically rotated annually and incur no monthly fees, although usage beyond the free tier might be chargeable by some AWS services.



AWS owned keys


AWS owned keys are managed by AWS for use across multiple accounts, enabling AWS services to protect resources in your account without the keys being directly in your control. These keys, which are free and don't count against your AWS KMS quotas, are a convenient choice if you don't need to audit or control your resource's encryption key. You can't create or manage these keys or their policies.



Symmetric encryption


By default, creating an AWS KMS key gives you a symmetric encryption key, the most common type used in AWS KMS. This key, a 256-bit AES-GCM key (128-bit SM4 in China Regions), is used for both encryption and decryption processes and never leaves AWS KMS unencrypted. 


While AWS services integrated with AWS KMS only use symmetric keys, these keys offer functionalities like encryption, decryption, re-encryption, and generating data keys. You also have options to create multi-Region symmetric keys, import your own key material, and create keys in custom key stores.



Asymmetric encryption


In AWS KMS, you can create asymmetric KMS keys, which consist of a public key and a private key pair. The private key remains encrypted within AWS KMS and is accessible via AWS KMS API calls, while the public key can be used both within AWS KMS or downloaded for external use. These keys can be multi-Region and include RSA key pairs.





An HMAC KMS key in AWS KMS is a symmetric key used for generating and verifying hash-based message authentication codes (HMAC), with its key material always encrypted within AWS KMS. Can be multi-region.



Data keys


Data keys in AWS KMS are symmetric keys used for encrypting data and other keys, which unlike symmetric KMS keys, can be used outside of AWS KMS. AWS KMS generates a plaintext and an encrypted version of the data key; you use the plaintext key for encryption and store the encrypted key. 


AWS KMS can decrypt the stored key when needed, but doesn't manage or track these keys. To create or use data keys, operations like GenerateDataKey and Decrypt are used. While AWS KMS doesn't encrypt data directly with data keys, they can be used externally with tools like OpenSSL or the AWS Encryption SDK.



Data key pairs


Data key pairs in AWS KMS consist of a public and private key, mainly used for encryption, decryption, signing, and verification outside AWS KMS. Unlike other tools, AWS KMS encrypts the private key under a specified symmetric KMS key but does not manage or track these key pairs. 


To create a data key pair, use GenerateDataKeyPair (for immediate plaintext keys) or GenerateDataKeyPairWithoutPlaintext. Use the public key to encrypt data and the private key, decrypted via the Decrypt operation, for decryption, digital signatures, and message verification.




Use an alias as a simple, recognizable name for a KMS key, like 'my-key' instead of its complex ID. Aliases simplify KMS key identification in the AWS Management Console and can be used in various AWS KMS operations, including cryptographic ones. 


They allow for regional key differentiation in applications and enable access control based on aliases, supporting AWS KMS's attribute-based access control (ABAC) feature.



Custom key stores


A custom key store in AWS KMS is a resource using an external key manager, either an AWS CloudHSM cluster or a non-AWS key manager, which you own and manage. Cryptographic operations with a KMS key in a custom key store are performed directly in your key manager using its keys.



Envelope encryption


Envelope encryption involves encrypting data with a data key, then encrypting this key with another key. This process can be layered, but ultimately, a top-level root key in plaintext is required for decryption. In AWS KMS, root keys (KMS keys) are securely stored and managed in AWS's FIPS validated hardware security modules. 


Benefits of envelope encryption include secure storage of encrypted data keys, efficient re-encryption of large data using different keys without re-encrypting the data itself, and combining the advantages of both symmetric (fast, compact) and public key (role separation, easy management) algorithms.





AWS CloudHSM merges AWS cloud benefits with hardware security module (HSM) security, offering secure, FIPS 140-2 level-3 validated HSMs in the cloud with full user control. Features include single-tenant, general-purpose HSMs with flexibility in algorithms and key lengths, end-to-end encryption invisible to AWS, and complete control over key and algorithm management. 


AWS CloudHSM supports various cryptographic operations and provides SDKs for tailored application development. It's suitable for migrating cryptographic workloads from systems using standards like PKCS #11, JCE, CNG, or KSP with minimal changes needed.



AWS Certificate Manager


AWS Certificate Manager is related to encryption in transit, as it manages SSL/TLS certificates to ensure secure encryption of traffic. It simplifies the creation, storage, and renewal of SSL/TLS X.509 certificates for AWS websites and applications. It supports issuing certificates directly or importing third-party ones, covering single, multiple, wildcard, or combined domain names. 





AWS KMS concepts - AWS Key Management Service

AQs | AWS Key Management Service (KMS) | Amazon Web Services (AWS)

What is Cryptography? - Cryptography Explained - AWS

Customer data operations - AWS Key Management Service

SEC08-BP01 Implement secure key management - Security Pillar

SEC08-BP01 Implement secure key management - AWS Well-Architected Framework

SEC08-BP01 Implement secure key management - AWS Well-Architected Framework

Data protection in AWS Key Management Service - AWS Key Management Service

Resilience in AWS Key Management Service - AWS Key Management Service

What Is AWS Certificate Manager? - AWS Certificate Manager