Skip to content

KMS 101

AWS KMS 101ΒΆ

  • Anytime you need to share sensitive information - use AWS KMS (Key Management Service)
    • Database passwords
    • Credentials to external service
    • Private key of [[SSL certificate]]s
  • The value in AWS KMS (Key Management Service) is that the [[CMK]] used to [[encrypt]] data can never be retrieved by the user, and the [[CMK]] can be rotated for extra security
  • Never ever store your secrets in [[plaintext]], especially in your code!
  • Encrypted [[secrets]] can be stored in the code / [[environment variables]]
  • KMS can only help in encrypting up to 4KB of data per call
  • IF data > 4 KB, use [[envelope encryption]]
  • To give access to AWS KMS (Key Management Service) to someone:
    • Make sure [[Key Policy]] allows the user
    • Make sure IAM Policy allows the API Calls