Fundamentals of KMS
Securing Access to Your AWS KMS Keys
S3 Encryption Mechanisms
AWS Secrets Manager
Managing Public and Private SSL/TLS Certificates using AWS Certificate Manager
The course is part of this learning path
This section of the Solution Architect Associate learning path introduces you to the core encryption concepts and services relevant to the SAA-C03 exam. We overview the AWS encryption options and how to select and apply AWS encryption services to meet relevant situations and scenarios.
Want more? Try a lab playground or do a Lab Challenge!
- Learn the fundamentals of Amazon's Key Management Service (KMS), including permissions, key policies, and key management
- Learn how the AWS Secrets Manager is used to implement security best practices by protecting secrets such as database credentials and API keys
- Learn the fundamentals of CloudHSM, how it's implemented, and how to use it as a Custom Key Store in KMS
- Learn how to implement server-side and client-side encryption
Understanding who has access to a KMS key can be a little confusing as there are three potential ways of gaining access to and using a KMS key through the key policy, with IAM policies, and also Grants.
Determining the correct level of access means you need to understand how these access methods all work in conjunction with one another. So let's look at a simple example to ensure we understand some key points. In this scenario, we have three KMS keys, and four users.
Here you can see the KMS keys, users and scenario statements that are applicable to this example.
So we have three KMS Keys: KeyA, KeyB, and KeyC, and we have four Users: Alana, Danny, Carlos, and Jorge.
So the Scenario statements are:
- Key-A key policy enables the use of IAM user permissions to be used to manage access.
- Key-B key policy allows access for Danny and Carlos to perform cryptographic operations. Controlling access via IAM has not been enabled.
- Key-C key policy enables the use of IAM user permissions to be used to manage access. Access is also explicitly denied for Danny, Carlos, but full cryptographic. operations access is given to Alana and Jorge. Jorge also has access to create grants.
- Alana’s IAM policy permissions allows all KMS actions to Key-A and Key-B.
- Danny has no IAM policy permissions.
- Carlos’ IAM policy permissions allows KMS encrypt access to Key-A.
- Jorge’s IAM policy permissions allow all KMS actions to Key-B and Key-C.
So let's now look at each of these users' access to see if they can perform cryptographic operations, starting with Alana.
Alana’s access to Key-A is successful as her IAM policy permissions allows all KMS actions against Key-A and Key-A allows for IAM policies to be used to manage access. Her access to Key-B is denied as the key policy for this Key does not allow for IAM policies to be used. Alana’s access to Key-C is successful as the key policy allows access despite her having no IAM policy related permissions, access is given purely through the key policy.
Now let's take a look at Danny. His access to Key-A is denied as there are no explicit entries in the key policy for Danny’s access and he has no IAM policy permissions associated. His access to Key-B is successful as the key policy allows Danny access despite him having no IAM policy permissions. Danny’s access to Key-C is denied due to explicit deny actions within the key policy. An explicit ‘deny’ will always overrule any other allow.
Now let's look at Carlos’ access. For Key-A, he has ‘encrypt’ access only which is given through his IAM policy permissions, and IAM policy permissions are allowed to be used to manage access. For Key-B, access is also successful as the key policy allows him access. His IAM policy permissions are irrelevant as the key policy does not allow for IAM policies to be used to manage access. And his access to Key-C is denied due to the explicit deny actions within the key policy and an explicit deny will overrule any other allow.
And finally Jorge’s access. He has no access to Key-A as neither the key policy or his IAM policy permissions provides access. He has no access to Key-B as the key policy for this Key does not allow for IAM policies to be used. So despite access being granted at the IAM Policy level for Jorge, the Key policy does not allow for IAM policies to be used and so this is disregarded. Access to Key C is allowed for KMS cryptographic operations in addition to the ability to create grants.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.