Security of data and applications whether stored on-premises or in the cloud has always been a supreme issue of influence. To date AWS has provided it’s customers with services that help in securing and encrypting the data e.g., Amazon S3, Amazon Elastic Block Store(EBS) which is a server-side encryption service, Amazon Redshift, Amazon RDS for SQL and many more. All these services make use of the “master keys” that are created, stored and managed within the AWS.
Recently AWS launched a new and even more secure option for Key Management which will help in managing the keys for the applications and services running both in the cloud and on-premises.
Introduction to AWS Key Management
AWS Key Management Service is a fully managed service that helps you in providing a uniform, centralized control over your encryption keys. It makes use of the Hardware Security Modules (HSMs) to protect the security of your keys and empowers you to easily encrypt your data across your AWS infrastructure plus within your own applications by providing a highly available key storage facility, management where you can create, rotate, disable, define the usage and perform auditing solution to examine carefully the use of encryption keys used to encrypt your data.
AWS Key Management service provides:
- One click encryption
- Full control over your encryption keys
- A centralized place to manage keys
- Forced-key rotation policies
Key Management Service components:
There are three major components of AWS Key Management Service and they are:-
1. Create and Manage keys:
All the encrypted keys of your organization are stored and viewed in a single place thus easy to implement creation, rotation, usage policies and auditing.
2. Use Keys to encrypt your data:
AWS Key Management Service works with SDK for simple integration of encryption into your application. It integrates with AWS services like Amazon S3, Amazon EBS and Amazon Redshift.
3. Audit Key usage:
It provides all the audit trail information to CloudTrail that helps in meeting the regulatory and compliance requirement by providing logs that examines and verifies who used which keys, on which resource and when.
AWS Key Management Service provides high accessibility, low latency and a high level of persistence for your keys. Following are some benefits provided by AWS Key Management Service:
1. Centralized Key Management
It provides you with a uniform, centralized control over your encryption keys. You can easily create, rotate, disable, define the usage and enable logging either from AWS Management Console or by using API. The entire keys that are being used in the organization KMS provides a single view of them.
2. Integrated with AWS services
AWS Key Management Service (KMS) is unified with Amazon S3, Amazon EBS and Amazon Redshift so to simplify encryption of your data within those services. With these integration encryption and decryption are done automatically. You just have to choose the KMS master key with which you want to do the encryption or decryption.
3. Encryption for all your applications
AWS Key Management Service integrates with the SDK and the Command Line Interface. It provides a programmatic integration of your encryption and key management into your applications. Regardless of the storage of the data, KMS makes it easy to organize the encryption key used to encrypt data.
4. Built-in Auditing
AWS Key Management Service operates with AWS CloudTrail that supply you with logs of API calls made by or made to KMS which even helps developers in auditing. These logs helps you in examining and verifying who used which keys, on which resource and when.
5. Fully Managed
Accessibility, physical security and hardware maintenance of the infrastructure is managed by the AWS. Whereas AWS key management prime attention is on the encryption needs of your applications.
You just have to pay for the supplementary master key that you have created and for your key usage. Storage of the default keys in your account is charge free.
AWS Key Management provides you a secure location so that no one access to your master keys. It makes use of the hardened systems where your unencrypted keys are only used in the memory. Any update on the service is managed by a multi-level approval process that is examined, verified and evaluated by an independent group within Amazon.
AWS Key Management Use with the example:
In this example and usage we will
- Create a key in AWS KMS
- Use this key to encrypt a file in S3 bucket
- Modify access permission of this key
- Audit all activity related to this key
Here three IAM users are called which are named as
- Admin1- An Administration
- User1- A user of Financial Report
- User2- A compliance officer
Creating Keys Using AWS Key Management Service
Sign in to an AWS management console and click on IAM.
On the IAM dashboard you will see the encryption key at the bottom of the detail section
clicking on this option you will reach to AWS KMS console.
AWS KMS keys are region specific and can only be used in the region they are created. For this example we click on US West (Oregon).
Next click on create key to start the three step process of creating a master key
1. First step is to give a name to a master key called Allias. Allias is display name of the master key and is required field. Here we define
Allias name – “Financial_Report”
Description key option is also displayed with the name option. This key is used to give a meaningful description and what master key will be protecting. We define it as
Description key -Protected_Corporate_Financial_Data
We Click on Next Step.
2. Here in this step we define Key Administrators for the Financial_Reports master key we are creating.
After you click on next step a screen appears where you can define which IAM users are allowed to administer the new key by choosing one or more IAM users and/or roles. Users added here can edit, enable, disable and rotate the master key. They can also encrypt and decrypt data with the help of this master key. From this screen we select Admin1 and make him/her enable and click on next step option.
3. In this step we decide which users, roles and other AWS accounts are allowed to use the key to encrypt and decrypt data. Users, roles we select can use the Financial_Report key within their applications or within AWS KMS.
Here we select the option of User1.
If you want to allow another AWS account to be able to use this key then you can enter the account or Amazon resource name in the external accounts option.
To complete key creation process we click on Finish button. Once this master key is created we will use this Financial_Report key to protect the file that we have uploaded to Amazon S3.
Using Key with Amazon S3
1. Now once we are in Amazon S3 console our foremost step is to create a bucket and upload a Financial_Report document in the bucket and encrypt this document using Financial_Report key that you have created.
We will click on create bucket to get started and enter
Name – Finance.Reports.US.2014
Region – Oregon
Make sure that region you select should match the region you have created for master key. Now click on create bucket option.
2. Once bucket is created we have to upload this document. To do so we click on Action button and then click on upload.
Click on set details button to select the encryption option we want for this file. Two options will appear on the screen out of which first is default key option so we choose second key option.
When we choose second option a drop down list appears which will ask for your master key name. Once you write your master key name Financial_Report, all the other details like description, account, key ID will automatically get filled. After filling and checking all details click on Start Upload Button.
Modify and Audit all activity related to this key
Now let’s assume that compliance officer who is User2 also needs to use encrypted file to Audit and he needs access to the Financial_Report key to decrypt the file in that bucket. We can grant bucket access to him by using Amazon S3 console. This can be done by making few simple changes.
For this first go back to AWS KMS console. When screen appears click on Financial_Report key on this page under the key usage section click on ADD button and a list of users and roles appears click on User2 and then click on attach.
User2 will now have access to encrypt and decrypt files using the Financial_Report master key. When User2 no longer want access of the key you can come back to the same page and click on User2 and click on Remove.
AWS KMS master key can be disabled and enabled according to your own need. All the data that is protected with that key becomes inaccessible as long as the key is disabled thus removing your charge from the key. To do this we first go to the encryption page and select Financial_Reports option and then go to Key Action option and select disable and same way you can make it enable.