KMS

  • Create/manage Customer master key
  • Enable/disable CMKs
  • Schedule CMKs for deletion
  • Configure key policies and grants
  • Key Material
    • AWS managed - Default - The KM is automatically rotated every 3 years (cannot be changed).
    • Customer managed - AWS generated KM - rotated every year automatically.
    • Customer managed - Customer generated KM- manually rotated KM - but upto customer when they want to do rotation. 
  • Key Rotation - is accomplished by updating the backing key material. Old material is retained for decryption.
  • Key Types
    • Symmetric - Single key for both encrypt and decrypt operations. - Default - Best practice.
    • Asymmetric - Public and Private key pair for  encrypt and decrypt operations.
  • Key deletion - Waiting period between 7 and 30 days before key is deleted.
  • For external key material - wrapping algo which will be used to encrypt the KM. 
  • (CMKs) Master keys thus created has size limitation of 4 KB only.
  • Envelope encryption - Master keys are used to generate data key by API call. Data key can be used for encryption and decryption and they have no size limit on data.
    • Step 1 - Create data key
    • Step 2 - Encrypt data using data key
    • Step 3 - Encrypt data key using master key (The enc' data key is stored alongside enc' data).
    • Step 4 - To decrypt - First decrypt the data key using master key and then decrypt the data using data key. 
  • KMS - AWS Key Management Service (AWS KMS) is a service that combines secure, highly available hardware and software to provide a key management system scaled for the cloud.
    1. If you use CMKs, you use AWS KMS to centrally create CMKs, define the policies that control how CMKs can be used, and audit their usage to prove that they are being used correctly. 
    2. When you use SSE-KMS encryption with an S3 bucket, the AWS KMS CMK must be in the same Region as the bucket.
    3.  If you want to use a customer managed CMK for SSE-KMS, create the CMK before you configure SSE-KMS. 
    4. enable-key-rotation enables automatic rotation of a customer managed customer master key (CMK). The CMK will be rotated one year (365 days) from the date that this command completes and every year thereafter.
    5. CMKs can be broken down into two general types: AWS-managed and customer-managed. An AWS-managed CMK is created when you choose to enable server-side encryption of an AWS resource under the AWS-managed CMK for that service for the first time (e.g., SSE-KMS). AWS managed CMK is rotated once every three years automatically. For more control, a best practice is to use a customer-managed CMK in all supported AWS services and in your applications.
    6. For customer-managed CMKs, you have two options for creating the underlying key material. When you choose to create a CMK using AWS KMS, you can let KMS create the cryptographic material for you, or you can choose to import your own key material. Both of these options provide you with the same level of control and auditing for the use of the CMK. 

Comments

Post a Comment

Popular posts from this blog

AWS Organizations, IAM

Image
Active Directory AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. You can spread application loads across multiple AD Connectors to scale to your performance needs.  AD Connector is your best choice when you want to use your existing on-premises directory with AWS services. AD Connectors and your on-premises AD domains have a 1-to-1 relationship.  Your end users and IT administrators can use their existing corporate credentials to log on to AWS applications such as WorkSpaces, Amazon WorkDocs, or Amazon WorkMail. Simple AD is a standalone managed directory.  Small - Supports up to 500 users,  Large - Supports up to 5,000 users.  Simple AD does not support features such as multi-factor authentication (MFA), trust relationships with other domains.  AWS Directory Service lets you run Microsoft Active Directory (AD)
Read more

Key Concepts

A  resource group  is a collection of AWS resources that are all in the same AWS Region, and that match the criteria specified in the group's query.  Tag-based queries include lists of resources and tags.  In an AWS CloudFormation stack-based query, you choose an AWS CloudFormation stack in your account in the current region, and then choose resource types within the stack that you want to be in the group.   You can use  resource groups  to organize your AWS resources. AWS Resource Groups is the service that lets you manage and automate tasks on large numbers of resources at one time.  With Resource Groups, you can create a custom console that organizes and consolidates information based on criteria specified in tags, or the resources in an AWS CloudFormation stack.  Transfer Family - Supports connecting to S3 or EFS through FTPS/SFTP/FTP protocols.  The hostname for the endpoint can also configured with R53.  The transfer family can be associated with Elastic IP. Security group pe
Read more

Linear Algebra Concepts

Vector Spaces Rank of matrix is the number of non zero rows in REF form. Alternatively rank of matrix is = total number of columns - total number of dependent columns. In the REF form, If a column of a matrix can be expressed in terms of other columns then it is a dependent vector. The vectors on the left most side with leading 1 at the col number position ( 1 at 1st row 1st col, 1 at 2nd row 2nd col, likewise) then such columns are linearly independent columns. For linerarly independence a1v1+a2v2+a3v3=0 where v1,v2,v3 are vectors and a1,a2,a3 are scalars. Span of a vector space is all the possible vectors which can be formed using the basis vectors. Basis vectors are linearly independent vectors which can span the vector space. Column space is all possible set of vectors formed by the column vectors. Row space is all possible set of vectors formed by the row vectors. Dimension of a row space or column space is equal to its rank. Null space or kernel of a matrix is any vector x which
Read more