3 Things: Developing with AWS KMS

There’s a lot that goes into cryptographic key management — creation, rotation, expiry, replacement, revocation, etc. AWS Key Management Service performs all of the aforementioned operations, but also seamlessly integrates with many AWS services, like, S3, SNS, SQS, et. al. Simply put, key management is hard and AWS Key Management Service can greatly simplify your cryptography story.

As much as AWS KMS can simplify cryptographic key management for your organization, there are some gotchas that you should be aware of when developing solutions using AWS Key Management Service.

Photo by Jametlene Reskp on Unsplash

What Exactly is a KMS Key?

Conceptually, an AWS KMS Key is not what many think of as a “key.” A KMS Key does not contain the actual cryptographic key, called key material, but contains a reference to it. This reference is stored in the key metadata, which also contains things like, the ID for the key, the state of the key, the key spec, the date the key was created, and also the key’s description.

The following is an example of using the AWS .NET SDK to get a list of keys.

var kmsClient = new AmazonKeyManagementServiceClient();
var listKeysRequest = new ListKeysRequest();
Task<ListKeysResponse> listKeysResponse = await client.ListKeysAsync(listKeysRequest);
listKeysResponse.Keys.ForEach(key =>
Console.WriteLine($"ID: {key.KeyId}, {key.KeyArn}");
view raw Program.cs hosted with ❤ by GitHub

AWS Managed Keys

Using AWS managed keys is like using the easy button. In a matter of seconds you can spin up a new key. It’s so fast and simple, it almost seems to good to be true. And, for some use cases, it is. AWS managed keys lack the flexibility of customer managed keys. When an AWS managed key is created, the key is set up for automatic rotation. Automatic rotation is required and not optional with AWS managed keys. Importantly, the schedule for automatic rotation is no longer three years and has been reduced to one year.

Below is an example of using the AWS CLI to describe a key. Using this command will output the key metadata, including AWSAccountId, KeyId, KeyState, etc.

$ aws kms describe-key \
––key-id (my-key-id)

Customer Managed Keys

Customer managed keys provide a bit more flexibility than AWS managed keys. With Customer managed keys, automatic rotation is optional. If your solution requires key rotation, you can choose to rotate your keys manually or automatically. If you choose automatic key rotation, the schedule for rotation is one year. In addition to optional automatic rotation, AWS customers can create and manage key policies, grants, tags, aliases, et. al.

Below is an example of using the AWS CLI to enable key rotation for a customer managed key.

$ aws kms enable-key-rotation \
––key-id (my-key-id)

Want to know more about the tech in this article?  Checkout these resources:

AWS CLI, Configuring the AWS CLI, AWS .NET SDK, .NET