Transcription of AWS Key Management Service - …
1 AWS Key Management ServiceDeveloper GuideAWS Key Management Service Developer GuideAWS Key Management Service : Developer GuideCopyright 2018 Amazon Web services , Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or Service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Key Management Service Developer GuideTable of ContentsWhat is AWS Key Management Service ?
2 1 Concepts .. 2 Customer Master Keys .. 2 Data Keys .. 3 Envelope Encryption .. 4 Encryption Context .. 5 Key Policies .. 6 Grants.. 6 Grant Tokens .. 6 Auditing CMK Usage.. 6 Key Management Infrastructure .. 7 Getting Started .. 8 Creating Keys .. 8 Creating CMKs (Console) .. 8 Creating CMKs (API) .. 9 Viewing Keys .. 10 Viewing CMKs (Console) .. 10 Viewing CMKs (API).. 12 Finding the Key ID and ARN.. 15 Editing Keys .. 16 Editing CMKs (console) .. 16 Editing CMKs (API).
3 19 Tagging Keys .. 20 Managing CMK Tags (Console) .. 20 Managing CMK Tags (API) .. 21 Enabling and Disabling Keys .. 22 Enabling and Disabling CMKs (Console) .. 22 Enabling and Disabling CMKs (API).. 23 Authentication and Access Control .. 24 Authentication.. 24 Access Control .. 25 Overview of Managing Access .. 25 AWS KMS Resources and Operations .. 26 Managing Access to AWS KMS CMKs .. 26 Specifying Permissions in a Policy .. 27 Specifying Conditions in a Policy.
4 28 Using Key Policies .. 28 Overview of Key Policies .. 28 Default Key Policy .. 29 Example Key Policy .. 35 Changing a Key Policy .. 38 Keeping Key Policies Up to Date .. 42 Using IAM Policies .. 44 Overview of IAM Policies .. 44 Permissions Required to Use the AWS KMS Console .. 45 AWS Managed (Predefined) Policies for AWS KMS .. 45 Customer Managed Policy Examples .. 45 AWS KMS API Permissions Reference .. 47 Using Policy Conditions .. 53 AWS Global Condition Keys .. 53 AWS KMS Condition Keys.
5 55 Using Grants.. 71 Determining Access .. 73 Understanding Policy Evaluation .. 73iiiAWS Key Management Service Developer GuideExamining the Key Policy .. 74 Examining IAM Policies .. 77 Examining Grants.. 78 Rotating Keys .. 80 How Automatic Key Rotation Works .. 81 How to Enable and Disable Automatic Key Rotation .. 81 Enabling and Disabling Key Rotation in the Console .. 82 Enabling and Disabling Key Rotation with the API .. 82 Rotating Keys Manually .. 83 Importing Key Material .. 85 About Imported Key Material.
6 85 How To Import Key Material .. 86 How to Reimport Key Material .. 86 How to Identify CMKs with Imported Key Material .. 87 Step 1: Create a CMK with No Key Material .. 88 Create a CMK with No Key Material (AWS Management Console) .. 88 Create a CMK with No Key Material (AWS KMS API) .. 89 Step 2: Download the Public Key and Import Token .. 90 Download the Public Key and Import Token (AWS Management Console) .. 91 Download the Public Key and Import Token (AWS KMS API) .. 92 Step 3: Encrypt the Key Material.
7 93 Example: Encrypt Key Material with OpenSSL .. 93 Step 4: Import the Key Material .. 94 Import Key Material (AWS Management Console) .. 94 Import Key Material (AWS KMS API) .. 95 Deleting Key Material .. 95 How Deleting Key Material Affects AWS services Integrated With AWS KMS .. 96 Delete Key Material (AWS Management Console) .. 96 Delete Key Material (AWS KMS API) .. 97 Deleting Customer Master Keys .. 98 How Deleting CMKs Works .. 98 How Deleting CMKs Affects Integrated AWS services .
8 99 Scheduling and Canceling Key Deletion .. 99 Using the AWS Management Console .. 100 Using the AWS CLI .. 100 Using the AWS SDK for Java .. 101 Adding Permission to Schedule and Cancel Key Deletion .. 101 Using the AWS Management Console .. 102 Using the AWS CLI .. 103 Creating an Amazon CloudWatch Alarm.. 104 Requirements for a CloudWatch Alarm.. 104 Create the CloudWatch Alarm.. 105 Determining Past Usage of a CMK .. 107 Examining CMK Permissions to Determine the Scope of Potential Usage.
9 107 Examining AWS CloudTrail Logs to Determine Actual Usage .. 107 How Key State Affects Use of a Customer Master Key .. 110 How AWS services use AWS KMS .. 114 AWS CloudTrail .. 114 Understanding When Your CMK is Used .. 114 Understanding How Often Your CMK is Used .. 118 Amazon DynamoDB .. 119 Using CMKs and Data Keys .. 119 Authorizing Use of the Service Default Key .. 121 DynamoDB Encryption Context .. 122 Monitoring DynamoDB Interaction with AWS KMS .. 123 Amazon Elastic Block Store (Amazon EBS).
10 126 Amazon EBS Encryption .. 126ivAWS Key Management Service Developer GuideAmazon EBS Encryption Context .. 127 Detecting Amazon EBS Failures .. 127 Using AWS CloudFormation to Create Encrypted Amazon EBS Volumes .. 128 Amazon Elastic Transcoder .. 128 Encrypting the input file .. 128 Decrypting the input file .. 129 Encrypting the output file .. 130 HLS Content Protection .. 131 Elastic Transcoder Encryption Context .. 131 Amazon EMR .. 132 Encrypting Data on the EMR File System (EMRFS).