Understanding Asymmetric Keys in AWS KMS

all aws aws kms aws security Jan 25, 2024

Introduction

In this blog post, we're diving into asymmetric keys in AWS KMS, breaking it down into simple terms. Whether preparing for an exam or just curious about cloud security, this guide will walk you through the basics of asymmetric keys in AWS KMS.

What are Asymmetric KMS Keys?

AWS KMS supports asymmetric keys, which are pairs of mathematically related public and private keys. These key pairs can be of three types:

  1. RSA Keys: Used for either encryption/decryption or signing/verification. AWS KMS offers various key lengths for different security needs.
  2. Elliptic Curve (ECC) Keys: Primarily used for signing and verification.
  3. SM2 Keys: Available only in China Regions, used similarly to RSA keys.

These keys are generated within AWS KMS's highly secure hardware security modules (HSMs), which are certified under the FIPS 140-2 Cryptographic Module Validation Program (with the exception of China's Beijing and Ningxia Regions).

Private and Public Keys

  • Private Key: It's generated in AWS KMS and is always encrypted within AWS KMS. We cannot extract it unencrypted.
  • Public Key: We can share it with anyone, even those we don't trust. It's used alongside the private key but can be distributed and used outside of AWS KMS.

Use Cases and Considerations

1. Digital Signatures

Asymmetric keys are pivotal for creating digital signatures. This is a crucial aspect of verifying the authenticity and integrity of digital documents or software. Here's how it works:

  • Signing: You use your private key to sign a document or software.
  • Verification: Others use your public key to verify the signature, ensuring it's genuinely from you and hasn't been tampered with.

2. Encryption Outside AWS

If we need to encrypt data outside AWS where users can't access AWS KMS, asymmetric KMS keys are ideal. This is especially useful for:

  • Securing Emails: Encrypting email content before sending it over the internet.
  • Protecting Files: Encrypting files that are stored or shared outside the AWS environment.

Special Note

If we're encrypting data within an AWS service, use symmetric encryption KMS keys, as AWS services integrated with AWS KMS don't support asymmetric keys.

Managing Asymmetric KMS Keys

In AWS KMS, we can create and manage these keys, set their policies, enable or disable them, and even audit their usage through AWS CloudTrail logs. We completely control these keys, ensuring they align with our security and access requirements.

Asymmetric Data Key Pairs

AWS KMS also offers asymmetric data key pairs for client-side cryptography outside of AWS KMS. The private key in this pair is protected by a symmetric encryption KMS key within AWS KMS.

Important Points to Remember for Exams

  1. Key Types: Understand the differences between RSA, ECC, and SM2 keys.
  2. Key Generation Location: Remember that keys are generated within AWS KMS HSMs, certified under FIPS 140-2.
  3. Private Key Security: The private key never leaves AWS KMS unencrypted.
  4. Public Key Distribution: Public keys can be downloaded and used outside AWS KMS.
  5. Use Cases: Know when to use asymmetric vs. symmetric KMS keys.
  6. AWS Services Compatibility: AWS services that integrate with AWS KMS do not support asymmetric encryption keys.
  7. Region Availability: Asymmetric KMS keys are available in all AWS Regions that support AWS KMS, with SM2 keys exclusive to China Regions.
  8. Management and Auditing: You can manage key policies, access, and track usage via AWS CloudTrail.

Conclusion

Understanding these key points will not only help you in exams but also give you a foundational understanding of how asymmetric keys function in AWS KMS, enhancing your knowledge of cloud security.

See also

Read about Digital Signing with Asymmetric Keys at secdops.com/blog/understanding-digital-signing-with-asymmetric-keys.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.