Fundamentals of KMS
Securing Access to Your AWS KMS Keys
S3 Encryption Mechanisms
AWS Secrets Manager
Managing Public and Private SSL/TLS Certificates using AWS Certificate Manager
The course is part of this learning path
This section of the Solution Architect Associate learning path introduces you to the core encryption concepts and services relevant to the SAA-C03 exam. We overview the AWS encryption options and how to select and apply AWS encryption services to meet relevant situations and scenarios.
Want more? Try a lab playground or do a Lab Challenge!
- Learn the fundamentals of Amazon's Key Management Service (KMS), including permissions, key policies, and key management
- Learn how the AWS Secrets Manager is used to implement security best practices by protecting secrets such as database credentials and API keys
- Learn the fundamentals of CloudHSM, how it's implemented, and how to use it as a Custom Key Store in KMS
- Learn how to implement server-side and client-side encryption
Before we dive into the AWS Key Management Service itself and how it can be used to encrypt your data in AWS, I feel it would be beneficial to those who are new to encryption to understand the basics of encryption methods used by KMS.
Unencrypted data is data that can be read and seen by anyone who has access to it either when the data is at rest, or in transit between two or more locations. This unencrypted data is commonly known as ‘plain text’ or ‘clear text’ data as the data is plain to see and can be read by any recipient. There is no problem with data being unencrypted as long as the data does not contain sensitive or confidential information preventing it from being restricted. However, on the other hand if you have data that does contain sensitive information, such as customer data or financial records, then you need to ensure that the contents of that file is only viewable by those who are authorized. To enhance the data security around the object then you should add a level of encryption to that data.
Data encryption is the mechanism in which information is altered, rendering the plain text data unreadable through the use of mathematical algorithms and encryption keys. When encrypted, the original plain text is now known as cipher text which is unreadable. To decrypt the data, an encryption key is required to revert the cipher text back into a readable format of plain text.
An encryption key is simply a string of characters used in conjunction with an encryption algorithm, and the longer the key the more robust the encryption. Encryption methods involving keys can be categorized by either being symmetric cryptography or asymmetric cryptography, and interestingly AWS KMS uses both of these methods.
Let's take a look at each of these to see how they differ.
With symmetric encryption, a single key is used to both encrypt and also decrypt the data. So for example if someone was using a symmetric encryption method, they would encrypt the data with a key and then when that person needed to access that data, they would use the same key that they used to encrypt the data to decrypt the data. This means that if the encrypted data was being read by a different recipient, that recipient would need to be issued with the same key. Remember, the same key is needed to decrypt the data that was used to encrypt it. As a result, this key must be sent securely between recipients, and here it exposes a potential weakness in this method. If the key is intercepted by anyone during that transmission that hasn’t been sent using an in-transit encryption method, then that third party could easily decrypt any data associated with that key. AWS KMS helps to resolve this issue by acting as a central repository, governing and storing the keys required and only issuing the decryption keys to those who have sufficient permissions to do so.
Some common symmetric cryptography algorithms that are used are AES which is Advanced Encryption Standard, Digital Encryption Standard (DES), Triple DES and Blowfish.
Now let's compare this to asymmetric encryption which involves two separate keys, where one is used to encrypt the data and a separate key is used to decrypt the data. These keys are created at the same time and are linked through a mathematical algorithm. One key is considered the private key and should be kept by a single party and should never be shared with anyone else. The other key is considered the public key and this key can be given and shared with anyone, it’s public for a reason.
Unlike with the symmetric encryption, this public key does not have to be sent over secure transmission. It doesn't matter who has access to this public key as without the private key, any data encrypted with it cannot be accessed. So how does it work?
If another party wanted to send you an encrypted message or data, they would encrypt the message using your own public key which is made freely available to them. The message is then sent to you where you will use your own private key which has the mathematical relationship with your public key, enabling you to decrypt the data. This allows you to receive encrypted data without the risk of exposing your private key, resolving the issue highlighted with symmetric encryption.
The advantage that symmetric has over asymmetric is the speed of encryption and decryption. Symmetric is a lot faster from a performance perspective. However, it does carry an additional risk as highlighted. Some common examples of asymmetric cryptography algorithms are RSA, Diffie-Hellman, and Digital Signature Algorithm.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.