Key Management Service, or KMS, is a way to manage and protect your encryption keys in AWS. It achieves this by encrypting your encryption key with a master key. This process is known as enveloping. KMS then stores that master key in a different location from the data involved. An additional layer of security is provided by using IAM policies to control access to KMS for key management and creation.
PART 1: Using KMS with S3
KMS encryption can be set on a bucket, folder, or file. For this example, we will use a file.
Log into S3 and choose a file to upload:
Click Next ( We can leave permissions as is for this walkthrough):
Click Next again:
Here are the options for Encryption in S3. Using “Amazon S3 master-key” stores the encryption key with the data and the key is not enveloped. Using “AWS KMS master-key” is much more secure and is just as easy to set up. Click “AWS KMS master-key”:
Here are a couple of options in the drop-down to select a key. All keys prefaced with AWS are default keys that AWS creates when you turn on KMS encryption. For now, this will be fine. Select AWS S3 and click next:
There is now a file in the S3 bucket:
Click on the filename to show all the properties of the file:
Listed here are the properties of the file including the encryption settings. Server-side encryption is set to AWS-KMS and also listed is the ARN of the KMS key used for the encryption.
NOTE: If a complete bucket needs encryption, the process is the same, just choose the bucket and configure the same settings under “Default Encryption.”
PART 2: THE KMS CONSOLE
Click on IAM from the main dashboard:
Click Encryption Keys in the menu on the left:
This is a list of Customer Master Keys (CMKs) in an account. Here is where the creation of keys can be confirmed. Also, custom keys can be created. The AWS S3 key that was just created is listed. NOTE: The keys in KMS are region-specific. Make sure the correct region is showing below “key actions.”
Click Create Key:
Here a key alias is required. Notice under Advanced Options, there is an option for importing “External” keys. This is good for application migrations from on-prem to AWS that already have data encrypted with keys. We will use KMS.
Provide an Alias and Description, then click Next Step:
We can skip tags for now. Click Next Step:
Here Permissions can be assigned for key management. These are IAM policies for users, roles (not groups), and are assigned PER KEY for custom keys which gives very granular control over management. Notice, there is a separate checkbox to allow deletion of a key. This is an additional permission if needed.
Click Next Step:
This screen is very similar to the last, but this one involves key usage permissions. For custom keys, usage permissions should be decided ahead of time. Notice there are no groups listed. These must be assigned individually to users or roles.
Click Next Step:
Here is the JSON output of the key policy.
The custom key is listed and can be used anywhere a KMS key can be assigned. Notice the difference in the icon for custom keys.
AWS Key Management Service is the most secure way to implement server-side encryption in an AWS environment. It uses enveloping to encrypt the original key with a master key; This master key is then stored in KMS where IAM policies can be applied to both key management and key usage. AWS has implemented this service so it requires very little extra effort compared to regular server-side encryption and should be used whenever it is available. It currently integrates with 43 services in AWS.
Sources / Resources