Study Guide820 words
AWS Security Operations: Key Rotation & Certificate Management
Rotating encryption keys and renewing certificates
AWS Security Operations: Key Rotation & Certificate Management
This guide focuses on the critical security tasks of rotating encryption keys and renewing SSL/TLS certificates within the AWS ecosystem, specifically covering AWS Key Management Service (KMS), IAM Access Keys, and AWS Certificate Manager (ACM).
Learning Objectives
- Distinguish between automatic and manual rotation for AWS-managed and customer-managed KMS keys.
- Implement a secure lifecycle for IAM Access Keys to minimize compromise risk.
- Explain how AWS Certificate Manager (ACM) handles the automated renewal of SSL/TLS certificates.
- Understand the limitations of rotating imported key material versus AWS-generated material.
Key Terms & Glossary
- KMS Key (formerly CMK): A logical representation of a master key used to generate, encrypt, and decrypt data keys.
- Envelope Encryption: The practice of encrypting data with a data key, and then encrypting the data key under another key (the KMS key).
- Data Key: An encryption key generated by KMS used to encrypt large amounts of data locally within an application or service.
- Access Key ID & Secret Access Key: Long-term credentials for an IAM user used to sign programmatic requests to AWS CLI or APIs.
- CA (Certificate Authority): A trusted entity that issues digital certificates (e.g., ACM serves as a CA or manages public ones).
The "Big Idea"
In cloud security, rotation is about reducing the "blast radius." If a key is compromised, its utility to an attacker is limited to the time window before it is rotated. By regularly changing keys and certificates, you ensure that even a silent breach has an expiration date, maintaining the integrity of the data over the long term.
Formula / Concept Box
| Feature | AWS-Managed KMS Key | Customer-Managed KMS Key | Imported Key Material |
|---|---|---|---|
| Rotation Frequency | Automatic (1 year) | Optional Automatic (1 year) | Manual Only |
| User Controllable | No | Yes | Yes (Manual) |
| Deletion/Revocation | No | Yes | Yes |
| Best Use Case | Default service security | Regulatory compliance | Local HSM requirements |
Hierarchical Outline
- I. AWS KMS Key Rotation
- AWS-Managed Keys: Created by AWS services; rotated automatically every 365 days; rotation cannot be disabled.
- Customer-Managed Keys:
- Automatic: Can be enabled; rotates every year; keeps old backing keys to decrypt older data.
- Manual: Create a new key and update application code to point to the new Key ARN.
- Imported Material: AWS cannot rotate keys you provide; you must manually track expiration and re-import.
- II. IAM Access Key Rotation
- Lifecycle: Best practice suggests rotation every 90 days (though some strict environments use 30).
- Procedure: 1. Create New -> 2. Update Apps -> 3. Deactivate Old -> 4. Delete Old.
- III. Certificate Management (ACM)
- Renewal: Fully automated for public certificates validated via DNS or Email if used with ALB, CloudFront, or API Gateway.
- Limitations: ACM cannot automatically renew certificates installed directly on EC2 instances (as it lacks access to the server's file system).
Visual Anchors
IAM Access Key Rotation Flow
Loading Diagram...
Envelope Encryption Visualization
\begin{tikzpicture} % Draw the Master Key (KMS) \draw[thick, fill=blue!10] (0,2) rectangle (2,3) node[midway] {KMS Key}; % Draw the Data Key \draw[thick, fill=yellow!20] (4,2.2) rectangle (5.5,2.8) node[midway] {Data Key}; % Draw the Data \draw[thick, fill=green!10] (7,1.5) rectangle (9,3.5) node[midway] {Plaintext Data};
code
% Arrows showing protection
\draw[->, >=stealth, line width=1pt] (1,2) -- (1,1) -- (4.75,1) -- (4.75,2.2) node[midway, below] {Protects};
\draw[->, >=stealth, line width=1pt] (4.75,2.8) -- (4.75,4) -- (8,4) -- (8,3.5) node[midway, above] {Encrypts};
% Labels
\node at (1, 3.3) {\small Stationary (Cloud)};
\node at (4.75, 4.3) {\small Used locally};\end{tikzpicture}
Definition-Example Pairs
- Key Deactivation: Disabling a key so it can no longer be used for cryptographic operations without deleting it.
- Example: If an employee leaves the company, you deactivate their Access Key immediately to stop access, then delete it after confirming no production scripts rely on it.
- Certificate Validation: The process of proving you own a domain before ACM issues a certificate.
- Example: Adding a specific CNAME record to your Route 53 DNS settings to allow ACM to verify domain control and enable automatic renewal.
Worked Examples
Scenario: Safely Rotating an Application's IAM Access Key
- Preparation: Check if the user already has two access keys (the limit). If so, you must delete an unused one first.
- Creation: Run
aws iam create-access-key --user-name MyAppUser. Save the output (ID and Secret). - Deployment: Update the environment variables or credentials file on the server with the new ID and Secret.
- Audit: Use the command
aws iam get-access-key-last-used --access-key-id <OLD_KEY_ID>. If the timestamp is older than your deployment time, the old key is likely safe to disable. - Cleanup: Run
aws iam update-access-key --access-key-id <OLD_KEY_ID> --status Inactive. After a 24-hour buffer, runaws iam delete-access-key.
Checkpoint Questions
- How often are AWS-Managed KMS keys rotated?
- Answer: Once every year (365 days).
- True or False: You can export the private key of an ACM-issued certificate to use it on an on-premises web server.
- Answer: False. ACM certificates are non-exportable; they must be used with supported AWS services like ALB or CloudFront.
- What is the main advantage of using Automatic Key Rotation in KMS for Customer-Managed Keys?
- Answer: It manages the rotation of the backing key material while keeping the same Key ID/ARN, meaning you don't have to update any application code or policies.
- If you import your own key material into KMS, who is responsible for rotation?
- Answer: The customer is responsible for manual rotation and tracking expiration.