AWS Key Management Service (KMS) & Data Encryption

This guide covers the fundamental and advanced concepts of using AWS KMS to encrypt and decrypt data, focusing on the mechanisms required for the AWS Certified Data Engineer - Associate (DEA-C01) exam.

Learning Objectives

After studying this guide, you should be able to:

• Explain the mechanism of Envelope Encryption and why it is used for large datasets.
• Distinguish between AWS-managed keys and Customer-managed keys.
• Implement server-side and client-side encryption strategies for Amazon S3 and Amazon EBS.
• Configure Key Rotation and understand its limitations for imported key material.
• Audit key usage using AWS CloudTrail.

Key Terms & Glossary

• KMS Key (formerly CMK): A logical representation of an encryption key, including metadata (ID, creation date, policy) and the key material used to encrypt/decrypt.
• Data Key (DEK): An encryption key generated by KMS to encrypt data locally within an application or service. It is not stored in KMS.
• Envelope Encryption: The practice of encrypting plaintext data with a data key, and then encrypting the data key with a KMS key.
• HSM (Hardware Security Module): Secure hardware devices where KMS stores and protects key material.
• Key Policy: A resource-based policy attached to a KMS key that defines who can use and manage the key.

The "Big Idea"

In a distributed cloud environment, managing individual keys for every file or database record is computationally expensive and a security nightmare. AWS KMS solves this through a centralized trust model. By using a master key (KMS Key) to protect many smaller keys (Data Keys), AWS allows for high-performance, localized encryption while maintaining centralized control and a rigorous audit trail of who accessed the master "vault."

Formula / Concept Box

Hierarchical Outline

1. AWS KMS Fundamentals
   • Managed Service: Centralized key creation, rotation, and lifecycle management.
   • Security: Integrated with FIPS 140-2 Level 2 (or 3) validated HSMs.
2. Encryption Strategies
   • Server-Side Encryption (SSE): Handled by the AWS service (S3, RDS, EBS).
   • Client-Side Encryption: Handled by the user before data is sent to AWS.
3. Envelope Encryption Workflow
   • KMS Key protects the Data Key.
   • Data Key protects the Data.
4. Operational Management
   • Key Policies: Define administrative vs. usage permissions.
   • Grants: Temporary or granular permissions for services.
   • Auditing: Every API call (GenerateDataKey, Decrypt) is logged in CloudTrail.

Visual Anchors

The Envelope Encryption Process

Hierarchical Key Structure

\begin{tikzpicture}[node distance=1.5cm, every node/.style={draw, thick, rounded corners, fill=blue!10, text width=3cm, align=center}] \node (kms) {KMS Key \ (Master Key)}; \node (dek) [below of=kms] {Data Key \ (Encrypted by Master)}; \node (data) [below of=dek] {Data Object \ (Encrypted by Data Key)};

\end{tikzpicture}

Definition-Example Pairs

• SSE-S3 (S3-Managed Keys): AWS handles everything. You don't manage the keys, and rotation is automatic.
  • Example: Uploading a generic log file where you just want "encryption at rest" checked off for a checkbox requirement.
• SSE-KMS (KMS-Managed Keys): You manage the key in KMS, but S3 handles the encryption process.
  • Example: A financial database where you must be able to audit exactly which user decrypted which specific report via CloudTrail.
• SSE-C (Customer-Provided Keys): You manage the key material; AWS only uses it to perform the encryption/decryption, then discards it from memory.
  • Example: A highly regulated entity that refuses to store encryption keys on any cloud provider's hardware.

Worked Examples

Scenario: Encrypting an existing Unencrypted EBS Volume

[!IMPORTANT] You cannot directly encrypt an existing unencrypted EBS volume. You must use the "Snapshot Dance."

Step-by-Step Procedure:

1. Create Snapshot: Take a snapshot of the unencrypted volume while it is detached or the instance is stopped.
2. Copy Snapshot: Use the CopySnapshot API or Console action. During the copy, select the Encrypt checkbox and choose your KMS Key.
3. Create Volume: Create a new EBS volume from the newly created encrypted snapshot.
4. Attach: Swap the old unencrypted volume with the new encrypted volume.

Checkpoint Questions

1. What is the maximum size of data that can be sent directly to the Encrypt API in KMS?
2. If you delete a KMS key, can you recover data encrypted with its data keys?
3. True or False: Automatic rotation is supported for keys imported into KMS from your own data center.
4. Which AWS service is used to audit who used a KMS key to decrypt a specific S3 object?

▶Click to see Answers

1. 4 KB.
2. No. Deleting a KMS key is irreversible (after the 7-30 day waiting period). The data becomes permanently unreadable.
3. False. Automatic rotation is not supported for imported keys.
4. AWS CloudTrail.

Comparison Tables

S3 Encryption Options

Muddy Points & Cross-Refs

• Key Rotation vs. Re-encryption: When a KMS key rotates, KMS does not re-encrypt old data. It keeps the old backing key to decrypt old data and uses the new backing key only for new encryption requests.
• Regionality: KMS keys are regional. To use an encrypted snapshot in a different region, you must first copy the snapshot to that region and re-encrypt it using a KMS key local to that destination region.
• S3 Bucket Keys: For high-volume S3 workloads, enabling "S3 Bucket Keys" reduces costs by caching the data key at the bucket level, minimizing the number of expensive API calls to KMS.