Let's Talk AWS

Security

AWS Key Management Service Basics

Let's jump into the basic concepts around AWS Key Management Service

AWS Key Management Service Basics

By George Turner

Wed Oct 02 2024 · less than 4 min read

Join the Newsletter

Get the latest AWS news, tutorials, and resources delivered straight to your inbox every week.

Overview

AWS Key Management Service is an easy-to-use and secure service provided and managed by AWS which allows you to easily create cryptographic keys and run cryptographic operations. You can create symmetric and asymmetric keys, which you can use to encrypt and decrypt data or sign and verify messages.

Key Security

AWS takes full control of securing these keys by storing them within a FIPS-140-2 Hardware Security Module, and ensures they never leave this HSM unencrypted. Another part of this security is requiring all cryptographic operations with the root key to be run on the HSM via the AWS API instead of copying the key to, and running the operation within your systems.

Asymmetric vs Symmetric KMS Keys

When you create an asymmetric key in KMS both a private and a public key will be created, the private key will remain within KMS and the public can be downloaded for use outside of KMS. In order to run cryptographic operations using the private key you must make a request to KMS via the API whereas with the public key you can either make a request to KMS or you or your users can run the operations within your own systems.

On the other hand when creating a symmetric KMS key, only a private key will be generated which will remain within KMS. To run cryptographic operations with the symmetric key you will need to make an API request to KMS, alternatively you can make a request to KMS to generate a DataKey which you can then use to run cryptographic operations within your systems.

Encrypting and Decrypting with KMS

Encrypting and decrypting data via the KMS API is really simple, here are some examples of encrypting and decrypting a string using a symmetric KMS key via the KMS SDK.

package main

import (
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/kms"
)

func encrypt() (*[]byte, error) {
	keyAlias := "alias/example-key-alias"

	sess := session.Must(session.NewSessionWithOptions(session.Options{
		SharedConfigState: session.SharedConfigEnable,
	}))

	kmsSvc := kms.New(sess)

	result, err := kmsSvc.Encrypt(&kms.EncryptInput{
        // This can either be a KeyId or Alias
        // If you use the Alias, it should be prefixed with alias/
        // as we have done above
		KeyId:     aws.String(keyAlias),
		Plaintext: []byte("Hello World!"),
	})

	if err != nil {
		fmt.Println("Error", err)
		return nil, err
	}

	fmt.Println("Success", result)

	return &result.CiphertextBlob, nil
}

In this example we are decrypting the cipher text which was returned from the encryption operation, you may note we are not providing the KeyId or alias, this is because AWS encodes this information within the cipher text.

However if you wish to provide the KeyId or Alias you can do so, and it may be preferable in some circumstances where you want to ensure that the data was encrypted with a specific key.

package main

import (
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/kms"
)

func decrypt(encryptedString []byte) {
	sess := session.Must(session.NewSessionWithOptions(session.Options{
		SharedConfigState: session.SharedConfigEnable,
	}))

	kmsSvc := kms.New(sess)

	result, err := kmsSvc.Decrypt(&kms.DecryptInput{
		CiphertextBlob: []byte(encryptedString),
	})

	if err != nil {
		fmt.Println("Error", err)
		return
	}

	fmt.Println("Success", string(result.Plaintext))
}

Access Control

When it comes to controlling who can conduct operations with a specific KMS key, you can define a Key Policy or a Key Policy and IAM Policy.

If you wish to use IAM policies to control access then you must first provide the principal which will create the policies the right to do so.
Below we have provided an example policy which does exactly this, it also happens to be the default policy which AWS will assign to a key which
has been created via the AWS console without a custom policy.

Any permissions you wish to give via key policies must be explicitly allowed as all permissions are denied by default.

{
  "Version": "2012-10-17",
  "Id": "PolicyId",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${accountId}:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}

Conclusion

KMS is a great solution for bolstering the security of the data you hold without having to handle the security of your root cryptographic keys
and in some use cases without having to handle any of the cryptographic operations.

Previous Post

Amazon Simple Queue Service (SQS) Basics

Next Post

Static vs Dynamic Routes on AWS & Route Prioritisation