100 Days of DevOps — Day 22-Introduction to Key Management System(KMS)

Welcome to Day 22 of 100 Days of DevOps, Let continue our journey with terraform and today we are going to create KMS keys using terraform.

What is KMS?

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

Advantage

• We can use IAM Policies for KMS access
• AWS Services(RDS,S3,DynamoDB,EBS…) integrated directly with KMS https://docs.aws.amazon.com/kms/latest/developerguide/service-integration.html
• It uses FIPS 140–2 compliant hardware module to manage access to key material.
• Integrated fully with CloudTrail for auditing function

Concepts

• KMS stores Customer Master Keys(CMK) which is a logical representation of a key.
• Key can be generated by KMS or imported.
• The encrypted data keys are stored with the data
• CMK never leaves KMS and never leaves a region
• CMK can encrypt or decrypt data up to 4KB in size.

How KMS Encrypt Data

Reference: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping

• We start with the plain text and then uses data keys along with an algorithm and come up with encrypted data.
• Encrypted data is finally stored in a storage that can be anything(eg:EBS, EFS, S3…)
• KMS then took data key, Encrypt it with a master key along with an encryption algorithm, resulted in it an encrypted data key, that stored alongside with data.

KMS in action

# To access KMS
Go to AWS Console --> Security, Identity, & Compliance --> Key Management Service --> Create a key

NOTE: YAY!!!, Now Key Management Service got its a new home but you can still access it via old way i.e

AWS Console --> IAM --> Encryption keys

Step1:

* Alias: Enter an alias and descrption for the key(eg: Alias: mydemotestkey, similarly Descrption)
* Key material origin: Choose KMS(External: You can bring your own Key(BUOY),CloudHSM(More about it later)

Step2:

* Adding Tag is Optional but its a good practice

Step3:

• Choose the users and roles who can administer this key.
• This is critical as an administrator have right to delete these keys and after that, your data will become unusable

Step4: Define key usage permissions,select the IAM users and roles that can use the CMK to encrypt and decrypt data with the AWS KMS API

Step5: Review and edit key policy

Key Deletion

• You can’t delete key immediately, rather then you need to schedule it

• The waiting period is from 7–30 days, this is to make sure you understand that deleting a key makes all data encrypted under that key unrecoverable

Key Rotation

• AWS managed CMKs. You cannot manage key rotation for AWS managed CMKs. AWS KMS automatically rotates AWS managed keys every three years (1095 days).
• When you enable automatic key rotation, AWS KMS rotates the CMK 365 days after the enable date and every 365 days thereafter.

KMS Limits

Limits — AWS Key Management Service

NOTE: When a request is throttled, AWS KMS returns a ThrottlingExceptionerror

Terraform Code: Most of the code is self-explanatory(using aws_kms_key we are creating kms key and using aws_kms_alias we are just providing user-friendly name to the key, as what I did above on the AWS Console, the same thing I am doing it here using terraform resources)

The new addition to this is Policy and let take a look

• As this is the resource-based policy, the only Principal/Account who has access to this key is the account with whom this key has been created and in this case root

"Principal": {
        "AWS": "arn:aws:iam::123456789:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },

• The root user has full access right to perform any KMS operation(“kms:**”)
• As you can see above these actions are quite wide open and we generally don’t provide these wide open permission open to our users rather then provide specific sets of actions(usage permission)

"Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],

AWS IAM Policy Documents with Terraform - Terraform by HashiCorp

NOTE: Key usage permission and Key Admin permission are not the same.

• Some other arguments which I didn’t cover but you can use in your terraform code

* deletion_window_in_days: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.
* enable_key_rotation: Specifies whether key_rotation is enabled. Defaults to false.

AWS: aws_kms_key - Terraform by HashiCorp

GitHub Link

100daysofdevops/100daysofdevops

Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.

• Twitter: @100daysofdevops OR @lakhera2015
• Facebook: https://www.facebook.com/groups/795382630808645/
• Medium: https://medium.com/@devopslearning
• Slack: https://devops-myworld.slack.com/messages/CF41EFG49/
• GitHub Link:https://github.com/100daysofdevops

Reference

100 Days of DevOps — Day 0