Amazon Web Services (AWS) recently released a brand-new encryption management platform, the AWS Key Management...
Service (KMS). AWS KMS allows users to encrypt data and manage encryption keys for a number of popular AWS features.
This tip will take a closer look at the growing importance of encryption key management in the cloud and, specifically, AWS KMS. How does it work, and what are the benefits and drawbacks of this new cloud service?
Encryption key management in the cloud
The importance of key management cannot be overstated. For many organizations, the need to properly encrypt data in the cloud, securely create and retain encryption keys, and, ideally, prevent any cloud provider staff members from accessing the keys are some of the most sought-after and important security controls in any cloud computing environment, especially infrastructure as a service (IaaS). Ideally, all keys would be generated at the time of service instantiation, then removed from the cloud and managed by the consumer. However, most cloud environments have not fully supported client-side key management, and server-side key management in the cloud has not allowed for total ownership and control by consumers -- which is often a compliance requirement.
Using AWS KMS
Amazon released its CloudHSM service in 2013 to allow customers to use a dedicated hardware storage device for key management in virtual private cloud (VPC) environments, but this was not wholly integrated with all AWS services, and still required a significant amount of manual configuration and operations to run properly.
With the release of KMS, Amazon is doubling down on encryption key management by coupling their CloudHSM services with much more granular and robust key creation, rotation, and integration tools and capabilities for most of the major AWS services used today. The hardware modules meet industry standards to never store the entire key on disk or in memory, and any access to a customer HSM requires numerous levels of approval and scrutiny. This allows customers to store keys in the AWS cloud, making access from other services and systems much simpler.
Major AWS services like S3, EBS and Redshift can now encrypt data at rest using keys controlled by AWS KMS. Customers can use the master keys -- the default keys generated when a user starts using the service -- for each service, or customers can use AWS KMS to create and manage new keys as needed. Users can also define keys for each service, application type or data classification level in Amazon.
The benefits of KMS
To get started with AWS KMS, administrators access the "Encryption Keys" section in the "IAM" service category within the Amazon AWS console. New key management profiles and policies can be defined here, too, which align with the standard model for Amazon's IAM rules and integration with all standard AWS application program interfaces (APIs). In fact, that's one of the most immediate benefits of KMS -- full integration with all AWS service APIs. In addition, new key management APIs are available that can easily make key management and integration of key access, use and lifecycle management more practical for developers and operations teams.
Another factor of KMS security that teams will appreciate is the full logging of all activities related to the service in AWS CloudTrail. Security teams can analyze KMS logs to find out how and when specific keys were used, and which services and users accessed and used them.
At a cost of $1 per key version, per month, this new service may very well be the most affordable key management product available for the cloud today. API requests cost $0.03 per 10,000 requests, as well.
KMS will likely be a service that existing AWS customers find immediately usable, and security teams will see immediate benefits to employing KMS for all AWS services that support it. There are no apparent drawbacks to the service -- existing customers gain more control over keys and improved security processes, and potential customers of cloud services may be able to implement cloud projects that had previously been off the table due to encryption and key management requirements.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.