Last updated on September 1st, 2021
AWS KMS is an amazon service to create, store & manage cryptographic keys. Those keys are used in all AWS services & other applications.
Let’s suppose you have a super-sensitive file that has people’s names and credit card numbers. You want to store it in some AWS storage for example.
So you have this plain text data and a Key. Using that, you run some kind of Encryption Algorithm to encrypt the data.
Now the question is who will do this? Very generally speaking, you can do this in two ways:
Client-side encryption: Where the client, for example, your application which is running in your system, maintains the keys. Encrypts the data. Sends the encrypted file into AWS storage.
Server-side encryption: You send this plain text data securely using HTTP to AWS storage and the data gets encrypted in the AWS Storage.
In case you manage a key by yourself, it needs to be rotated periodically. So even if it gets compromised, it reduces the duration and possibility of abuse.
Secondly, you have to make it harder to obtain it.
Let’s dive a bit deeper at this point… Encrypt that key itself with another key.
And that key with another key and that key with another key.
Did you get the idea? This is also known as Envelope Encryption.
But eventually, one key must remain in plain text. So you can decrypt the keys and your data.
This top-level plain text encryption key is known as The Master Key. And this has to be stored in a super-secure place.
Now if we go back to managing the key by ourselves, you also have to track and log the usage, so that you can detect anomalies.
You see, it could be quite intense and you probably want to focus on business logic and not on managing and rotating your keys and all that stuff.
AWS KMS is a managed service that makes it easy for you to create and control the encryption keys.
The Customer Master Keys that you create in AWS, are protected by hardware security modules or HSMs.
It is fully managed. You control access to your encrypted data by defining permissions to use the keys. AWS enforces your permissions and handles the durability and physical security of your keys.
It is a Centralized Management System.
AWS cameras present a single control point to manage keys and define policies consistently across integrated AWS services.
You can easily create import rotate delete and manage permissions from the AWS management console or by using their SS SDK or CLI integration with other AWS services.
Let’s get back to our super-secret file.
You encrypted the data with a key. This is known as the Data Key.
Because you encrypted some data with it. Then you used Envelope Encryption, where your plain text Data Key is turned into an Encrypted Data Key using a Customer Master Key.
AWS helps you to protect your Master Keys by storing and managing them securely.
Master Key is stored in AWS cameras. They never leave the AWS KMS validated hardware security modules unencrypted.
We discussed this tool from many angles. Like what it is and how it works, what are the features? Where to download Kim spice, what are the alternatives?
We also discussed some other KMS activator and KMS management tools like Amazon AWS.
AWS KMS is an Amazon Product for Web Services. It allows you to create, control, and delete keys to encrypt the personal data stored in all AWS databases.
Now let’s move on towards the KMS Pico FAQ section.
Visit Official Amazon KMS Page.
You can also download KMSPico to activate Windows and Office products.