Learning important Key Management Service (KMS) terms

Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Learning important Key Management Service (KMS) terms
lock
Turning on CloudTrail and logging to S3 with Encryption
lock
Creating a Customer Master Key (CMK)
lock
Launching a basic EC2 Instance
lock
Creating an Encrypted EBS Volume
lock
Disabling the Customer Master Key
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

The following key definitions are extracted directly from the AWS documentation:

 

Customer Master Keys (CMK) - The primary resources in AWS KMS are customer master keys (CMKs). Typically, you use CMKs to protect data encryption keys (or data keys) which are then used to encrypt or decrypt larger amounts of data outside of the service. CMKs never leave AWS KMS unencrypted, but data keys can. AWS KMS does not store, manage, or track your data keys. There is one AWS-managed CMK for each service that is integrated with AWS KMS. When you create an encrypted resource in these services, you can choose to protect that resource under the AWS-managed CMK for that service. This CMK is unique to your AWS account and the AWS region in which it is used, and it protects the data keys used by the AWS services to protect your data.

Data keys - Data keys are used to encrypt large data objects within an application outside AWS KMS. 

Key rotation and Backing Keys - When you create a customer master key (CMK) in AWS KMS, the service creates a key ID for the CMK and key material, referred to as a backing key, that is tied to the key ID of the CMK. If you choose to enable key rotation for a given CMK, AWS KMS will create a new version of the backing key for each rotation. It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. CMK is simply a logical resource that does not change regardless of whether or of how many times the underlying backing keys have been rotated.

 

Summary 

Having learned the basics of several critical security-related terms involving keys and data encryption at rest, you are ready to start using the AWS console to implement them. Note that the tasks achieved in this lab are performed from the console, but they could be tackled programmatically using the AWS API or command line interface (CLI). Often things are learned and fine-tuned using the console first, then implemented for the long term programmatically

Learning Pathnavigation