Using Amazon’s KMS | Key Management Service

Introduction | Installing and Configuring Amazon’s Key Management Service

These use cases are centred on Amazon’s Key Management Service (KMS). If you want a key store for sensitive data, configuration keys like database passwords, access keys to Amazon’s Simple Email Service or any other external and internal services, you should consider using KMS.

This blog covers automated access to AWS KMS using the AWS Java SDK as well as the AWS CLI (Command Line Interface).

The HashiCorp Vault is an alternative to using the AWS Key Management Service. Drop a comment in if you want me to blog advantages and disadvantages and application scenarios in which one or the other is superior.

Storing the Encryption Keys, Encrypted Data and the Reference Value

Amazon’s KMS does not provide storage services for the encrypted datums, their wrapped encryptionkeys and reference name.

Implementing it yourself is more significant than one might imagine mainly because enterprise applications will typically access KMS in many ways. These client accesses will typically include Java software, an Ansible provisioner, a Vagrant sandbox builder, Jenkins CI, Bash (and/or Go) scripts and maybe some Python thrown in for good measure.

If you are starting from scratch you may consider tools like CredStash.

How to Create an AWS KMS (Key Management Service) Master Key through the Console

Use these steps to create an AWS KMS (Key Management Service) master key. Even if you want to automate key creation using the AWS CLI or the AWS Java Software Development Kit API, it still pays to first create the master key by hand. This is how to do it.

  1. Go to IAM users section in the AWS Console.
  2. Click on “Encryption Keys” – lowest item on left hand menu
  3. Enter Alias Name eg credit-card-data-encryption-master-key
  4. Enter a Description eg Wraps encryption keys for credit card details.
  5. Select the admin users (typically use the IAM automation user).
  6. Select the same admin users on the Define Key Usage Permissions screen.
  7. Preview the key policy and click Finish.
  8. The key is created and is enabled by default.

How to Delete a KMS (Key Management Service) Master Key through the Console

To delete an AWS KMS (Key Management Service) master key through the console you must first ask yourself this question.

Hany slave keys are out there who deem the key you want to delete - as their master. Why not grab a list to check?

After you delete a master key – every sibling key’s sibling encrypted data will become un-de-encryptable.

Master Key Deletion | 7 Days to Ponder

This un-de-encryptable data problem is so important – Amazon insists that you stew on the issue for 7 days. You can schedule key deletion from anywhere between 7 and 30 days inclusive. You can use CloudWatch to ring a bell if indeed a request is made against a key that is scheduled for deletion.

When You Should Delete Master Keys

If a master key is no longer in use or has been compromised or is at the end of a rotation cycle – you create another one and delete the original. After creating a new master key you shoul re-encrypt all the data whose encryption is effectively “counter-signed” by the grandfather master key. Then you can discard the master key.

To discard the master key

  1. Go to IAM users section in the AWS Console.
  2. Click on “Encryption Keys” – lowest item on left hand menu
  3. Select the key (or keys) to discard.
  4. On the “Key Actions” drop down choose to Schedule Key Deletion
  5. Enter a “Cooling Off” value between 7 and 30 days inclusive.
  6. You can cancel deletion if you realise that the master key is still in use.

Leave a Reply

Your email address will not be published. Required fields are marked *