Table of Contents
A Key Management Service (KMS) is used to create and manage cryptographic keys and control their usage across various platforms and applications. If you are an AWS user, you must have heard of or used its managed Key Management Service called AWS KMS. This service allows users to manage keys across AWS services and hosted applications in a secure way.
AWS KMS maintains keys in Hardware Security Modules (HSMs) and uses a concept called envelope encryption where encrypted data is stored locally in the AWS service or application along with the key. In this article, we'll take a look at the concept of envelope encryption, as well as the key features of AWS KMS, its use cases, and alternatives to AWS KMS.
Did you know that MetricFire integrates with AWS? If you're looking for a secondary platform to visualize metrics when CloudWatch falls short, get on to the MetricFire free trial and try out the easy-to-use CloudWatch add-on.
CMK: The Primary Resource in AWS KMS
The Customer Master Key is the logical representation of a master key used to encrypt and decrypt a secondary key, called a data key. Data keys are stored at the service end and will only be decrypted via the CMK when requested by a service or an application.
Two types of CMKs exist, the first type being those created automatically by AWS when the first encrypted resource is created, and the other being those created by the user. KMS will maintain the lifecycle and permissions of keys of the former category while the user will only be able to track the usage of the keys (both categories).
Solving the Chicken and Egg Problem
Whether you are using and storing credit card details, passwords, encryption keys or any type of sensitive data, you should always think about security mechanisms. When you want to secure your data, one of the mechanisms that you can implement is encryption.
Encryption is usually based on a key. When this key is lost or hacked, the encrypted data will be also lost. A good solution to secure your encryption key is encrypting it. However, you may lose this second encryption key too. That is why it should be protected. You may think of encrypting the second key with a third key and the third key with another one, but this is not solving the problem of losing your key if it is not well protected.
A high level encryption key, which is the highest key in the hierarchy that protects your data, also called a master key, should be stored and used in a secure way.
This is when KMS solves the chicken and egg problem by enabling users to securely supply the secret that protects the other secrets. Creating and managing keys (symmetric and asymmetric) is the primary use case of AWS KMS.
These keys can be used across AWS services and they're also accessible using the AWS SDK to be used within the developer code (programmatically). It is also possible to import symmetric key material to be used within AWS and its services. However, AWS does not support importing asymmetric keys yet.
Defining and managing Identity and Access Management (IAM) users and roles is another important use case of KMS. AWS facilitates defining privileges applicable to each of these users and roles with regards to managing keys.
AWS makes rotating keys very convenient by automating it on an annual basis and not requiring users to re-save each of their resources. Old keys will still be available until they are manually deleted. It is also possible to disable and re-enable keys, and delete them.
Features of AWS KMS
Centralized Key Management (CKM)
CKM is a central point where the keys related to all AWS services and applications can be managed conveniently. Keys can be created within KMS, imported from your own Key Management infrastructure, or be used from your CloudHSM cluster.
Almost all of the use cases mentioned above are managed via CKM. This service enables users to create symmetric and asymmetric keys. While symmetric keys use a single key for both encryption and decryption, asymmetric keys use a pair of keys - one is private and the other one is public.
AWS also allows users to create their own Custom Key Stores. However, this is not recommended for all users as the user becomes responsible for the availability and security of the key store.
Integration across AWS Services
One of the most important benefits of AWS KMS is that multiple keys being used across AWS services can be managed in one central dashboard. You may need to store and supply sensitive data when working with other AWS services like Alexa, DynamoDB or Elastic Kubernetes Service. Since KMS is already integrated with other AWS services, it is easily accessible from these services. The AWS KMS documentation lists close to 60 services that support KMS across most regions.
When any of these services require decrypting data, they request KMS to decrypt the data key, which is saved locally. If the required permissions are available, KMS will return the decrypted data key that can then be used to decrypt the data (the process of envelope encryption).
High Availability and Scalability
AWS KMS does not allow sending out decrypted keys for security reasons. So services and applications are required to make frequent requests to decrypt their data keys. As such, AWS backs its KMS service with 99.999999999% availability and redundant storage. This ensures that services are able to access the KMS at all times. KMS APIs are region-based to ensure high availability and minimum latency.
AWS supports thousands of CMKs per account in order to ensure scalability. If the default limits are insufficient, then AWS provides special quotas at higher rates.
AWS follows strict protocols to ensure the security of keys. The plain text values of keys, for instance, are never written to disk and are only used in volatile memory when they are required for cryptographic operations. Keys are stored in Hardware Security Modules (HSMs) and are not available even to AWS employees. They are also region-specific for additional security.
Another important security measure offered by AWS KMS is called envelope encryption. In this method, data is never transmitted to KMS for encryption or decryption. Instead, it is encrypted in the AWS service or application itself and saved along with the data key used to encrypt it.
Data keys are encrypted via the Custom Master Key (CMK) within KMS. This improves security and also reduces the time spent to transmit data. When resources need to be decrypted, the service requests KMS for the decrypted data key in order to proceed.
Audit CapabilitiesAuditing is an additional security feature that can be useful to track any changes that have happened within KMS. This feature is available only when AWS CloudTrail is enabled.
Each request made to the KMS is recorded in a log file along with information like the user responsible, date and time, the action, and the key used. Users can transfer this information to an S3 bucket of their choice.
AWS KMS quality controls have been certified by different compliance organizations in multiple regions. It complies with standards such as PCI-DSS, HIPAA, and AWS's own SOC certifications.
At MetricFire, we recommend all users to manage and store secrets using the right, compliant tools. In one of our recent blog posts, we talked about using Kubernetes secrets to store sensitive information. KMS can add an additional layer of security to Kubernetes secret management: In other words, the local key used to encrypt your secrets is itself encrypted with another key not stored in your Kubernetes cluster.
Alternatives to AWS KMS
If you need to have a KMS service in your infrastructure, AWS offers a managed solution, it may have its advantages, but there are other alternatives. Many of these alternatives are also managed cloud-based services.
Hashicorp, for instance, provides Vault, a flexible service to manage secrets and protect sensitive data. It works best with Consul. Even if it has a different scope, it can be a replacement for AWS KMS. If you are looking for an open-source solution to store your data securely, Vault can be a good choice. You can deploy it to any environment, and it does not require any special hardware. Hashicorp also has a paid enterprise edition besides the free and open-source offer.
Alternatives like Hashicorp Vault work best with multi-cloud secrets management. However, if your workloads run on a given cloud provider, it is recommended to use the KMS of the same provider.
Other open-source tools such as Ansible use a vault system (Ansible Vault), you may store and manage encrypted data using Ansible Vault, however since your encrypted data is usually stored in your playbooks then in a version control system, it may be risky. So, tools like Ansible Vault can not be really considered as a replacement for KMS. However, Ansible and other tools like Hashicorp Vault and AWS KMS can work together perfectly to achieve better security levels.
Major cloud providers like Azure, Google, or Alibaba offer this managed service to their customers. Azure provides Azure Key Vault service, a scalable and globally redundant service. Google provides Google Cloud KMS, a fast and highly available KMS. If your IT runs on top of an oracle infrastructure, you may use Oracle Cloud Infrastructure Key Management. In case you are using another provider like Alibaba Cloud, Alibaba Cloud Key Management Service should be a good solution for you.
AWS KMS is a comprehensive solution to manage cryptographic keys used across not only AWS services but also external applications. Many of the alternatives mentioned above offer a similar feature set. You may find this service attractive if you already use AWS to run your workloads, but other alternatives like Hashicorp Vault may offer additional features. Choosing the right solution depends on your needs and your enterprise scale.
Usually, monitoring involves discussions about performance and workloads. However, it has a larger scope and includes other disciplines like security. Using tools like AWS KMS and Hashicorp Vault will certainly make your production system more secure. However, with the recurring updates in your codebase, while implementing new features, security will certainly be impacted.
At MetricFire, we believe security should be strengthened by continuous security monitoring practices. Tools like Prometheus and Grafana are a good combination to create custom dashboards reporting security metrics in a continuous way. You can create your own exporter to report security logs based on tasks like Docker security scanning, used ports, and network traffic.