Transcription of AWS Key Management Service
1 AWS Key Management ServiceDeveloper GuideAWS Key Management Service Developer GuideAWS Key Management Service : Developer GuideCopyright 2018 Amazon Web services , Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or Service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Key Management Service Developer GuideTable of ContentsWhat is AWS Key Management Service ? .. 1 Concepts .. 2 Customer Master Keys .. 2 Data Keys .. 3 Envelope Encryption .. 4 Encryption Context .. 5 Key Policies .. 6 Grants.. 6 Grant Tokens.
2 6 Auditing CMK Usage.. 6 Key Management Infrastructure .. 7 Getting Started .. 8 Creating Keys .. 8 Creating CMKs (Console) .. 8 Creating CMKs (API) .. 9 Viewing Keys .. 10 Viewing CMKs (Console) .. 10 Viewing CMKs (API).. 12 Finding the Key ID and ARN.. 15 Editing Keys .. 16 Editing CMKs (console) .. 16 Editing CMKs (API) .. 19 Tagging Keys .. 20 Managing CMK Tags (Console) .. 20 Managing CMK Tags (API) .. 21 Enabling and Disabling Keys .. 22 Enabling and Disabling CMKs (Console) .. 22 Enabling and Disabling CMKs (API).. 23 Authentication and Access Control .. 24 Authentication.. 24 Access Control .. 25 Overview of Managing Access .. 25 AWS KMS Resources and Operations .. 26 Managing Access to AWS KMS CMKs .. 26 Specifying Permissions in a Policy.
3 27 Specifying Conditions in a Policy .. 28 Using Key Policies .. 28 Overview of Key Policies .. 28 Default Key Policy .. 29 Example Key Policy .. 35 Changing a Key Policy .. 38 Keeping Key Policies Up to Date .. 42 Using IAM Policies .. 44 Overview of IAM Policies .. 44 Permissions Required to Use the AWS KMS Console .. 45 AWS Managed (Predefined) Policies for AWS KMS .. 45 Customer Managed Policy Examples .. 45 AWS KMS API Permissions Reference .. 47 Using Policy Conditions .. 53 AWS Global Condition Keys .. 53 AWS KMS Condition Keys .. 55 Using Grants.. 71 Determining Access .. 73 Understanding Policy Evaluation .. 73iiiAWS Key Management Service Developer GuideExamining the Key Policy .. 74 Examining IAM Policies .. 77 Examining Grants.. 78 Rotating Keys.
4 80 How Automatic Key Rotation Works .. 81 How to Enable and Disable Automatic Key Rotation .. 81 Enabling and Disabling Key Rotation in the Console .. 82 Enabling and Disabling Key Rotation with the API .. 82 Rotating Keys Manually .. 83 Importing Key Material .. 85 About Imported Key Material .. 85 How To Import Key Material .. 86 How to Reimport Key Material .. 86 How to Identify CMKs with Imported Key Material .. 87 Step 1: Create a CMK with No Key Material .. 88 Create a CMK with No Key Material (AWS Management Console) .. 88 Create a CMK with No Key Material (AWS KMS API) .. 89 Step 2: Download the Public Key and Import Token .. 90 Download the Public Key and Import Token (AWS Management Console) .. 91 Download the Public Key and Import Token (AWS KMS API) .. 92 Step 3: Encrypt the Key Material.
5 93 Example: Encrypt Key Material with OpenSSL .. 93 Step 4: Import the Key Material .. 94 Import Key Material (AWS Management Console) .. 94 Import Key Material (AWS KMS API) .. 95 Deleting Key Material .. 95 How Deleting Key Material Affects AWS services Integrated With AWS KMS .. 96 Delete Key Material (AWS Management Console) .. 96 Delete Key Material (AWS KMS API) .. 97 Deleting Customer Master Keys .. 98 How Deleting CMKs Works .. 98 How Deleting CMKs Affects Integrated AWS services .. 99 Scheduling and Canceling Key Deletion .. 99 Using the AWS Management Console .. 100 Using the AWS CLI .. 100 Using the AWS SDK for Java .. 101 Adding Permission to Schedule and Cancel Key Deletion .. 101 Using the AWS Management Console .. 102 Using the AWS CLI .. 103 Creating an Amazon CloudWatch Alarm.
6 104 Requirements for a CloudWatch Alarm.. 104 Create the CloudWatch Alarm.. 105 Determining Past Usage of a CMK .. 107 Examining CMK Permissions to Determine the Scope of Potential Usage .. 107 Examining AWS CloudTrail Logs to Determine Actual Usage .. 107 How Key State Affects Use of a Customer Master Key .. 110 How AWS services use AWS KMS .. 114 AWS CloudTrail .. 114 Understanding When Your CMK is Used .. 114 Understanding How Often Your CMK is Used .. 118 Amazon DynamoDB .. 119 Using CMKs and Data Keys .. 119 Authorizing Use of the Service Default Key .. 121 DynamoDB Encryption Context .. 122 Monitoring DynamoDB Interaction with AWS KMS .. 123 Amazon Elastic Block Store (Amazon EBS) .. 126 Amazon EBS Encryption .. 126ivAWS Key Management Service Developer GuideAmazon EBS Encryption Context.
7 127 Detecting Amazon EBS Failures .. 127 Using AWS CloudFormation to Create Encrypted Amazon EBS Volumes .. 128 Amazon Elastic Transcoder .. 128 Encrypting the input file .. 128 Decrypting the input file .. 129 Encrypting the output file .. 130 HLS Content Protection .. 131 Elastic Transcoder Encryption Context .. 131 Amazon EMR .. 132 Encrypting Data on the EMR File System (EMRFS) .. 132 Encrypting Data on the Storage Volumes of Cluster Nodes .. 134 Encryption Context .. 135 Amazon Redshift .. 135 Amazon Redshift Encryption .. 136 Encryption Context .. 136 Amazon Relational Database Service (Amazon RDS) .. 136 Amazon RDS Encryption Context .. 137 AWS Secrets Manager .. 137 Protecting the Secret Value .. 138 Encrypting and Decrypting Secrets .. 138 Using Your AWS KMS CMK.
8 140 Authorizing Use of the CMK.. 141 Secrets Manager Encryption Context .. 142 Monitoring Secrets Manager Interaction with AWS KMS .. 143 Amazon Simple Email Service (Amazon SES) .. 145 Overview of Amazon SES Encryption Using AWS KMS .. 145 Amazon SES Encryption Context .. 146 Giving Amazon SES Permission to Use Your AWS KMS Customer Master Key (CMK) .. 146 Retrieving and Decrypting Email Messages .. 147 Amazon Simple Storage Service (Amazon S3) .. 147 Server-Side Encryption: Using SSE-KMS .. 148 Using the Amazon S3 Encryption Client .. 148 Encryption Context .. 149 AWS Systems Manager Parameter Store .. 149 Encrypting and Decrypting Secure String Parameters .. 149 Setting Permissions to Encrypt and Decrypt Parameter Values .. 151 Parameter Store Encryption Context .. 152 Troubleshooting CMK Issues in Parameter Store.
9 153 Amazon WorkMail .. 153 Amazon WorkMail Overview.. 153 Amazon WorkMail Encryption .. 154 Amazon WorkMail Encryption Context .. 155 Amazon WorkSpaces .. 156 Overview of Amazon WorkSpaces Encryption Using AWS KMS .. 156 Amazon WorkSpaces Encryption Context .. 157 Giving Amazon WorkSpaces Permission to Use A CMK On Your Behalf .. 157 Monitoring Customer Master Keys .. 160 Monitoring Tools .. 160 Automated Tools .. 160 Manual Tools .. 161 Monitoring with CloudWatch .. 161 Metrics and Dimensions.. 162 Creating Alarms .. 163 AWS KMS Events .. 164 Logging AWS KMS API Calls with AWS CloudTrail .. 167 AWS KMS Information in CloudTrail .. 167vAWS Key Management Service Developer GuideUnderstanding AWS KMS Log File Entries .. 168 CreateAlias .. 168 CreateGrant .. 169 CreateKey .. 170 Decrypt.
10 171 DeleteAlias.. 171 DescribeKey .. 172 DisableKey .. 174 EnableKey .. 174 Encrypt .. 175 GenerateDataKey .. 176 GenerateDataKeyWithoutPlaintext .. 176 GenerateRandom.. 177 GetKeyPolicy .. 177 ListAliases.. 178 ListGrants.. 179 ReEncrypt .. 179 Amazon EC2 Example One .. 180 Amazon EC2 Example Two .. 182 Using a VPC Endpoint.. 187 Create a VPC Endpoint .. 188 Creating a VPC Endpoint (Console) .. 188 Creating an AWS KMS VPC Endpoint (AWS CLI) .. 189 Connecting to a VPC Endpoint .. 190 Using a VPC Endpoint in a Policy Statement .. 191 Audit the CMK Use for your VPC .. 193 Programming the AWS KMS API .. 194 Creating a Client .. 194 Working With Keys .. 195 Creating a Customer Master Key .. 195 Generating a Data Key .. 197 Viewing a Custom Master Key .. 199 Getting Key IDs and Key ARNs of Customer Master Keys.
