5.2.1. Encryption at Rest: KMS Key Types and Policies
š” First Principle: Encryption at rest converts data into ciphertext that requires a key to read. The security of encryption at rest depends entirely on the security of the key ā so key management is the real challenge. AWS KMS solves key management by keeping keys inside hardware security modules (HSMs) that never expose the raw key material outside the HSM.
KMS Key Types:
| Key Type | Managed By | Cost | Use Case |
|---|---|---|---|
| AWS Owned Keys | AWS | Free | Default encryption for many services (S3 SSE-S3, DynamoDB default) |
| AWS Managed Keys | AWS (auto-rotation) | Free | Per-service keys (aws/s3, aws/rds); less control |
| Customer Managed Keys (CMK) | You | ~$1/key/month | Full control: custom key policy, rotation control, cross-account use |
Key Policies: Unlike IAM policies, KMS key policies are resource-based policies that must explicitly grant access. Without a key policy statement allowing an account, even the root user cannot use the key.
The default key policy for a CMK includes a statement allowing the root account principal ā which means IAM policies can then control access. Without this root account statement, you could permanently lose access to the key.
Envelope Encryption: KMS never encrypts your data directly ā it uses envelope encryption:
KMS generates a data key (via GenerateDataKey). Your application uses the data key to encrypt the actual data. KMS then encrypts the data key using your CMK. The encrypted data key is stored alongside the encrypted data. To decrypt: call KMS to decrypt the data key, then use the plaintext data key to decrypt the data. The CMK never leaves KMS.
Service-Specific Encryption:
| Service | SSE Option | Key Management |
|---|---|---|
| S3 | SSE-S3 | AWS managed (free) |
| S3 | SSE-KMS | AWS or CMK (auditable, CloudTrail logs every decrypt) |
| S3 | SSE-C | Customer provides key with each request |
| EBS | Default encryption | AWS managed or CMK |
| RDS | Storage encryption | AWS managed or CMK (must be set at creation) |
| DynamoDB | Default | AWS owned (free) or CMK |
Key Rotation: Automatic rotation is available for symmetric CMKs. When enabled, KMS rotates the key material annually but keeps the old material to decrypt data encrypted with previous versions. The key ID and ARN stay the same ā applications need no changes.
ā ļø Exam Trap: RDS encryption must be enabled at database creation time ā you cannot encrypt an existing unencrypted RDS instance. The workaround: create an encrypted snapshot of the unencrypted instance (by copying the snapshot with encryption enabled), then restore from the encrypted snapshot. This creates a new encrypted RDS instance, and you switch your application to the new endpoint.
Reflection Question: An auditor requires that every KMS API call (encrypt, decrypt, generate data key) be logged for compliance. Your S3 buckets use SSE-KMS with a CMK. What is automatically logged, where, and how do you verify this?
