Table of Contents
Introduction
A Key Management Service (KMS) is used to create, manage, and control cryptographic keys across various platforms and applications. If you are an AWS user, you must have heard of or used its managed Key Management Service, AWS KMS. This service allows users to manage keys across AWS services and hosted applications in a secure way.
AWS KMS maintains keys in Hardware Security Modules (HSMs) and uses a concept called envelope encryption, in which encrypted data is stored locally within the AWS service or application along with the key. In this article, we'll take a look at the concept of envelope encryption, the key features of AWS KMS, its use cases, and alternatives to AWS KMS.
Did you know that MetricFire integrates with AWS? If you're looking for a secondary platform to visualize metrics when CloudWatch falls short, get on to the MetricFire free trial and try out the easy-to-use CloudWatch add-on.
Key Takeaways
- AWS Key Management Service (KMS) is a managed service that helps users create and manage cryptographic keys to secure data across AWS services and applications.
- CMK is the primary resource in AWS KMS, used to encrypt and decrypt data keys. AWS automatically creates some CMKs, while users can create their own.
- AWS KMS is a comprehensive solution for managing cryptographic keys, but alternative solutions like HashiCorp Vault offer additional features. Choosing the right solution depends on your specific enterprise requirements and scale, and continuous security monitoring is essential to maintain robust security.
- The article emphasizes the importance of continuous security monitoring practices using tools like Grafana to create custom dashboards reporting security metrics.
CMK: The Primary Resource in AWS KMS
The Customer Master Key is the logical representation of a master key used to encrypt and decrypt a secondary key, called a data key. Data keys are stored at the service end and will only be decrypted via the CMK when requested by a service or an application.
There are two types of CMKs: those created automatically by AWS when the first encrypted resource is created, and those created by the user. KMS will maintain the lifecycle and permissions of keys of the former category, while the user will only be able to track the usage of the keys (both categories).
Solving the Chicken and Egg Problem
Whether you are using or storing credit card details, passwords, encryption keys, or any other sensitive data, you should always consider security mechanisms. When you want to secure your data, one mechanism you can implement is encryption.
Encryption is usually based on a key. When this key is lost or compromised, the encrypted data will be lost as well. A good solution to secure your encryption key is to encrypt it. However, you may lose this second encryption key too. That is why it should be protected. You may think of encrypting the second key with a third key and the third key with another one, but this does not solve the problem of losing your key if it is not well protected.
A high-level encryption key, the highest key in the hierarchy that protects your data, also called a master key, should be stored and used securely.
This is when KMS solves the chicken-and-egg problem by enabling users to securely provide the secret that protects the other secrets. Creating and managing keys (symmetric and asymmetric) is the primary use case of AWS KMS.
These keys can be used across AWS services and are accessible via the AWS SDK in developer code (programmatically). It is also possible to import symmetric key material for use within AWS and its services. However, AWS does not yet support importing asymmetric keys.
Defining and managing Identity and Access Management (IAM) users and roles is another important use case of KMS. AWS enables defining privileges for each user and role for managing keys.
AWS makes key rotation very convenient by automating it annually and not requiring users to re-save each of their resources. Old keys will still be available until they are manually deleted. It is also possible to disable and re-enable keys and delete them.
Features of AWS KMS
Centralized Key Management (CKM)
CKM is a central hub for managing the keys for all AWS services and applications. Keys can be created within KMS, imported from your own Key Management infrastructure, or used from your CloudHSM cluster.
Almost all of the use cases mentioned above are managed via CKM. This service enables users to create symmetric and asymmetric keys. While symmetric keys use a single key for both encryption and decryption, asymmetric keys use a pair of keys—one private and one public.
AWS also allows users to create their own Custom Key Stores. However, this is not recommended for all users, as the user becomes responsible for the availability and security of the key store.
Integration across AWS Services
One of the most essential benefits of AWS KMS is that multiple keys used across AWS services can be managed from a single central dashboard. You may need to store and supply sensitive data when working with other AWS services, such as Alexa, DynamoDB, or Elastic Kubernetes Service. Since KMS is already integrated with other AWS services, it is easily accessible from these services. The AWS KMS documentation lists close to 60 services that support KMS across most regions.
When any of these services require decrypting data, they request that KMS decrypt the data key, which is stored locally. If the required permissions are available, KMS will return the decrypted data key that can then be used to decrypt the data (the process of envelope encryption).
High Availability and Scalability
AWS KMS does not allow sending out decrypted keys for security reasons. So services and applications must make frequent requests to decrypt their data keys. As such, AWS backs its KMS service with 99.999999999% availability and redundant storage. This ensures that services can access the KMS at all times. KMS APIs are region-based to ensure high availability and minimum latency.
AWS supports thousands of CMKs per account in order to ensure scalability. If the default limits are insufficient, then AWS provides special quotas at higher rates.
Security
AWS follows strict protocols to ensure the security of keys. For instance, the plain-text values of keys are never written to disk and are used only in volatile memory when required for cryptographic operations. Keys are stored in Hardware Security Modules (HSMs) and are not available even to AWS employees. They are also region-specific for additional security.
Another important security measure offered by AWS KMS is called envelope encryption. In this method, data is never transmitted to KMS for encryption or decryption. Instead, it is encrypted within the AWS service or application itself and stored alongside the data key used to encrypt it.
Data keys are encrypted via the Custom Master Key (CMK) within KMS. This improves security and also reduces the time spent transmitting data. When resources need to be decrypted, the service requests a KMS-issued decrypted data key to proceed.
Audit CapabilitiesAuditing is an additional security feature that can be useful for tracking any changes that have happened within KMS. This feature is available only when AWS CloudTrail is enabled.
Each request to the KMS is recorded in a log file, including the user responsible, date and time, action, and key used. Users can transfer this information to an S3 bucket of their choice.
Compliance
AWS KMS quality controls have been certified by different compliance organizations in multiple regions. It complies with standards such as PCI-DSS, HIPAA, and AWS's own SOC certifications.
At MetricFire, we recommend all users manage and store secrets using the right, compliant tools. In one of our recent blog posts, we talked about using Kubernetes secrets to store sensitive information. KMS can add a layer of security to Kubernetes secret management: In other words, the local key used to encrypt your secrets is itself encrypted with another key not stored in your Kubernetes cluster.
Alternatives to AWS KMS
If you need to have a KMS service in your infrastructure, AWS offers a managed solution; it may have its advantages, but there are other alternatives. Many of these alternatives are also managed cloud-based services.
HashiCorp, for instance, provides Vault, a flexible service for managing secrets and protecting sensitive data. It works best with Consul. Even if it has a different scope, it can be a replacement for AWS KMS. If you are looking for an open-source solution to store your data securely, Vault can be a good choice. You can deploy it to any environment, and it does not require any special hardware. HashiCorp also offers a paid enterprise edition in addition to the free, open-source offering.
Alternatives like Hashicorp Vault work best with multi-cloud secrets management. However, if your workloads run on a given cloud provider, it is recommended to use that provider's KMS.
Other open-source tools, such as Ansible, use a vault system (Ansible Vault). You may store and manage encrypted data using Ansible Vault; however, since your encrypted data is often stored in your playbooks and in a version control system, this approach may be risky. So, tools like Ansible Vault can not really be considered as a replacement for KMS. However, Ansible and other tools such as HashiCorp Vault and AWS KMS can work together effectively to achieve higher security levels.
Major cloud providers like Azure, Google, or Alibaba offer this managed service to their customers. Azure provides Azure Key Vault service, a scalable and globally redundant service. Google provides Google Cloud KMS, a fast and highly available KMS. If your IT runs on Oracle infrastructure, you may use Oracle Cloud Infrastructure Key Management. If you are using another provider, such as Alibaba Cloud, Alibaba Cloud Key Management Service should be a good solution for you.
Conclusion
AWS KMS is a comprehensive solution to manage cryptographic keys used across not only AWS services but also external applications. Many of the alternatives mentioned above offer a similar feature set. You may find this service attractive if you already use AWS to run your workloads, but alternatives such as HashiCorp Vault may offer additional features. Choosing the right solution depends on your needs and the scale of your enterprise.
Usually, monitoring involves discussions about performance and workloads. However, it has a broader scope and includes other disciplines, such as security. Using tools like AWS KMS and Hashicorp Vault will certainly make your production system more secure. However, with recurring updates to your codebase, implementing new features will certainly impact security.
At MetricFire, we believe security should be strengthened through continuous monitoring. You can create your own exporter to report security logs based on tasks like Docker security scanning, used ports, and network traffic.
Sign up for a MetricFire free trial or book a demo to talk with us directly about monitoring security metrics, or about how to implement great monitoring across the board.
