- AWS Key Management Service (AWS KMS) is an encryption and key management web service.
- Clients must support TLS (Transport Layer Security) 1.0 / 1.2.
- Clients must also support cipher suites with PFS like DHE or ECDHE
- Modern systems such as Java 7 and later support these modes.
Signing Requests
- Requests must be signed by an access key ID and a secret access key.
- use access key ID and secret access key for an IAM user.
- also use AWS Security Token Service to generate temporary security credentials that you can use to sign requests.
- All AWS KMS operations require Signature Version 4 .
Logging API Requests
- AWS KMS supports AWS CloudTrail to logs AWS API calls and related events
- As per information collected determine what requests were made to AWS KMS, who made it, when it was made, etc
Commonly Used API Operations
- Encrypt
- Decrypt
- GenerateDataKey
- GenerateDataKeyWithoutPlaintext
encrypt command
- Encrypts plaintext into ciphertext
- Uses customer master key (CMK).
- primary use cases
- encrypt up to 4 kilobytes (4096 bytes) of arbitrary data such as an RSA key, a database password, or other sensitive information.
- use the Encrypt operation to move encrypted data from one AWS region to another.
- encrypt –key-id <value> –plaintext <value> [–encryption-context <value>] [–grant-tokens <value>] [–cli-input-json <value>] [–generate-cli-skeleton <value>]
- –key-id (string) – A unique identifier for the customer master key (CMK).
- –plaintext (blob) – Data to be encrypted.
- –encryption-context (map) – Name-value pair that specifies the encryption context to be used for authenticated encryption.
- –grant-tokens (list) – A list of grant tokens.
- –cli-input-json (string) Performs service operation based on the JSON string provided.
- –generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request.
AWS Certified Solutions Architect Associate Free Practice TestTake a Quiz