Understanding AWS KMS Keys - Customer Keys and AWS Keys

all aws aws cost management aws kms aws security Jan 25, 2024

Introduction

AWS KMS is an essential component for managing encryption keys in the AWS ecosystem. Understanding the different types of keys - Customer Managed Keys, AWS Managed Keys, and AWS Owned Keys - and their use cases is crucial for both practical implementation and for those preparing for AWS exams. This blog post aims to demystify these concepts.

Customer Managed Keys

Customer Managed Keys are the keys that we, as an AWS customer, create, own, and manage within our AWS account.

Characteristics and Use Cases

  • Full Control: We have complete authority over these keys. This includes setting up key policies, IAM policies, and grants.
  • Flexibility: We can enable or disable these keys, rotate their cryptographic material, add tags, create aliases, and schedule them for deletion.
  • Visibility and Audit: These keys can be used in cryptographic operations, and their usage can be audited via AWS CloudTrail logs.
  • Pricing: Customer-managed keys incur a monthly fee and a per-use fee, which is counted against AWS KMS quotas for our account.
  • Logging: Every request made to these keys is recorded as events in CloudTrail.

When to Use

Use Customer Managed Keys when we need full control over the encryption keys, such as for compliance requirements or specific organizational policies.

AWS Managed Keys

AWS Managed Keys (e.g., aliases starting with aws/rds, aws/ebs) are created and managed by AWS in our account with automatic yearly rotation and have no monthly fee; per-use fees may apply. We can view these keys and their usage in CloudTrail.

Characteristics and Use Cases

  • Ease of Use: These keys do not require any management effort on our part. AWS handles the creation, maintenance, and policy management.
  • Automatic Rotation: They are rotated automatically every year (365 days) without any intervention needed from our side.
  • Cost-Effective: There is no monthly fee for AWS Managed Keys, though per-use fees might apply (covered by some AWS services).
  • Logging: Every request made to these keys is recorded as events in CloudTrail.

When to Use

AWS Managed Keys are suitable when we do not require specific control over our encryption keys but still need to view the key policies and audit the key usage using CloudTrail logs.

AWS Owned Keys

AWS-owned keys are owned and managed by AWS outside our account and will be used across AWS accounts for specific services, such as Amazon S3, for the default encryption. We cannot see these keys in our KMS dashboard, and we cannot see their usage in CloudTrail logs. 

Characteristics and Use Cases

  • Zero Cost: These keys are free of charge with no monthly or usage fees.
  • Simplicity: No need to create or maintain these keys.
  • Rotation Policy: Varies across different AWS services.

When to Use

AWS-owned keys are ideal for scenarios where we require a simple and cost-effective solution and do not need to audit or control the encryption keys.

Important Points to Remember for Exams

  • Customer Managed Keys: Full control, includes key creation and management, incurs monthly and per-use fees.
  • AWS Managed Keys: Managed by AWS, no monthly fee, automatic yearly rotation, per-use fees may apply.
  • AWS Owned Keys: Owned by AWS for multiple accounts, no cost, rotation policy varies, no need for creation or management.
  • Rotation Policy: AWS Managed Keys are rotated every year; the policy for AWS Owned Keys varies per service.
  • Billing: Only Customer Managed Keys incur a monthly fee; AWS Managed Keys and AWS Owned Keys do not.
  • Access and Visibility: We have access to the metadata of Customer Managed and AWS Managed Keys, but not for AWS Owned Keys.
  • Use in Cryptographic Operations: Customer Managed Keys can be directly used, while AWS Managed and Owned Keys are used by AWS services.

Conclusion

Understanding these key types and their use cases is vital for effective cloud security management and for excelling in AWS-related exams. Remember, the choice of key type should align with your organizational requirements, whether it be control, ease of use, or cost-effectiveness.

See also

Read about key rotation for customer managed keys at cloudericks.com/blog/understanding-key-rotation-for-customer-managed-keys-with-aws-kms.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.