The following FAQs do not apply to AWS KMS in the AWS China (Beijing) Region, operated by Sinnet and the AWS China (Ningxia) Region, operated by NWCD. Please visit this FAQ link for content relevant to these two China regions. Show Q: What is AWS Key Management Service (AWS KMS)? Q: Why should I use AWS KMS? Q: How do I get started with AWS KMS? Q: In what Regions is AWS KMS available? Q: What key management features are available in AWS KMS? You can perform the following key management functions:
* The use of custom key stores requires CloudHSM resources to be available in your account. Q: How does AWS KMS work? You start using the service by requesting the creation of an AWS KMS key. You control the lifecycle of the KMS key as well as who can use or manage it. The key material for a KMS key is generated within hardware security modules (HSMs) managed by AWS KMS. Alternatively, you can import key material from your own key management infrastructure and associate it with a KMS key. You can also have the key material generated and used in an AWS CloudHSM cluster as a part of the custom key store feature in AWS KMS. Once you have created a KMS key using any of the three supported options, you can submit data directly to the service AWS KMS to be signed, verified, encrypted, or decrypted using these KMS key. You set usage policies on these keys that determine which users can perform which actions under which conditions. AWS services and client-side toolkits that
integrate with AWS KMS use a method known as envelope encryption to protect your data. Under this method, AWS KMS generates data keys which are used to encrypt data locally in the AWS service or your application. The data keys are themselves encrypted under a KMS key you define. Data keys are not retained or managed by AWS KMS. AWS services encrypt your data and store an encrypted copy of the data key along with the encrypted data. When a service needs to decrypt your data, it requests
AWS KMS to decrypt the data key using your KMS key. If the user requesting data from the AWS service is authorized to decrypt under your KMS key, the AWS service will receive the decrypted data key from AWS KMS. The AWS service then decrypts your data and returns it in plaintext. All requests to use your KMS keys are logged in AWS CloudTrail so you can understand who used which key under what context and when they used it. Q: Where is my data encrypted if I use AWS
KMS? Q: Which AWS cloud services are integrated with AWS KMS? AWS KMS is seamlessly integrated with most other AWS services to make encrypting data in those services as easy as checking a box. In some cases data is encrypted by default using keys that are stored in AWS KMS but owned and managed by the AWS service in question. In many cases the AWS KMS keys are owned and managed by you within your account. Some services give you the choice of managing the keys yourself or allowing the service to manage the keys on your behalf. See the list of AWS services currently integrated with AWS KMS. See the AWS KMS Developer’s Guide for more information on how integrated services use AWS KMS. Q: Why use envelope encryption? Why not just send data to AWS KMS to encrypt directly? Q: What’s the difference between a KMS key I create and KMS keys created automatically for me by other AWS services? Q: Why should I create my own AWS KMS keys? Q: Can I bring my own keys to AWS KMS? Q: When would I use an imported key? Q: What type of keys can I import? Q: How is the key that I import into AWS KMS protected in transit? Q: What’s the difference between a key I import
and a key I generate in AWS KMS?
Q: Can I rotate my keys? Q: Do I have to re-encrypt my data after keys in AWS KMS are rotated? If you manually rotate your imported or custom key store keys, you may have to re-encrypt your data depending on whether you decide to keep old versions of keys available. Q: Can I delete a key from AWS KMS? For customer AWS KMS keys with imported key material, you can delete the key material without deleting the AWS KMS key id or metadata in two ways. First, you can delete your imported key material on demand without a waiting period. Second, at the time of importing the key material into the AWS KMS key, you may define an expiration time for how long AWS can use your imported key material before it is deleted. You can re-import your key material into the AWS KMS key if you need to use it again. Q: What should I do if my imported key material has expired or I accidentally deleted it? Q: Can I be alerted that I need to re-import the key? Q: Can I use AWS KMS to help manage encryption of data outside of AWS cloud services? Q: Is there a limit to the number of keys I can create in AWS KMS? Q: What types of symmetric key types and algorithms are supported? Q: What kind of
asymmetric key types are supported? Q: What kinds of asymmetric encryption algorithms are supported? Q: What kinds of asymmetric signing algorithms are supported? Q: Can symmetric
KMS keys be exported out of the service in plain text? Q: Can data keys and data key pairs be exported out of the HSMs in plain text? Q: How are data keys and data key pairs protected for storage outside the service? Q: How do I use the public portion of an asymmetric KMS key? Q: What is the
size limit for data sent to AWS KMS for asymmetric operations? Q: How can I distinguish between asymmetric or symmetric KMS keys I have created? Q: Is automatic rotation of asymmetric KMS keys
supported? Q: Can a single asymmetric KMS key be used for both encryption and signing? Q: Are there service limits related to asymmetric keys? Q: Do asymmetric keys work with AWS KMS custom key stores or the
Import Key feature? Q: Can I use asymmetric KMS keys for digital signing applications that require digital certificates? Q: For what use scenarios should I use AWS Private Certificate Authority vs. AWS KMS? AWS Private CA allows you to issue certificates to identify web and application servers, service meshes, VPN users, internal API endpoints, and IoT devices. Certificates let you establish the identity of these resources and create encrypted TLS/SSL communications channels. If you are considering using asymmetric keys for TLS termination on web or application servers, Elastic Load Balancers, API Gateway endpoints, EC2 instances or containers, you should consider using AWS Private CA for issuing certificates and providing a PKI infrastructure. In contrast, AWS KMS lets you generate, manage, and use asymmetric keys for digital signing and/or encryption operations that don’t require certificates. While certificates can enable verification of sender and recipient identity between untrusted parties, the kind of raw asymmetric operations offered by AWS KMS are typically useful when you have other mechanisms to prove identity or don’t need to prove it at all to get the security benefit you desire. Q: Can I use my applications’ cryptographic API providers such as OpenSSL, JCE, Bouncy Castle, or CNG with AWS KMS? Q: Does AWS KMS offer a Service Level Agreement (SLA)? Which refers to a situation in which keys are managed by a third party?Key escrow (also known as a "fair" cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys.
What is the name for a trusted third party that issues digital certificates?A certificate authority (CA) is a trusted entity that issues Secure Sockets Layer (SSL) certificates. These digital certificates are data files used to cryptographically link an entity with a public key.
What is public and private key in certificate?The public key is made available to anyone who wants to verify the identity of the certificate holder, while the private key is a unique key that is kept secret. This enables the certificate holder to digitally sign documents, emails and other information without a third party being able to impersonate them.
What is the purpose of a CA in a PKI system?A public key system relies on asymmetric cryptography, which consists of a public and private key pair. The Certificate Authority (CA) certifies the ownership of the key pairs and completes the PKI setup. The ultimate goal of a PKI is identity and access management for a secure network.
|