1 00:00:00,330 --> 00:00:02,610 So now let's talk about AWS KMS, 2 00:00:02,610 --> 00:00:05,700 which is a key management service of AWS. 3 00:00:05,700 --> 00:00:08,039 So we've been using it, you know, a lot without knowing 4 00:00:08,039 --> 00:00:10,350 but anytime you hear encryption 5 00:00:10,350 --> 00:00:12,420 when you have an AWS service, 6 00:00:12,420 --> 00:00:15,120 it's most likely going to be KMS encryption. 7 00:00:15,120 --> 00:00:17,180 The aim is that with this KMS service 8 00:00:17,180 --> 00:00:20,430 AWS is going to manage the encryption keys for us. 9 00:00:20,430 --> 00:00:21,263 And that's great 10 00:00:21,263 --> 00:00:23,580 because that means that we have less things to do. 11 00:00:23,580 --> 00:00:26,340 So KMS is of course fully integrated 12 00:00:26,340 --> 00:00:28,680 with IAM, for authorization. 13 00:00:28,680 --> 00:00:30,720 And it gives us very easy ways 14 00:00:30,720 --> 00:00:35,250 to control access to our data if it's encrypted with KMS. 15 00:00:35,250 --> 00:00:39,090 The power of using AWS KMS is that you're able to audit 16 00:00:39,090 --> 00:00:40,980 every single API call made 17 00:00:40,980 --> 00:00:43,770 to use your keys through CloudTrail, 18 00:00:43,770 --> 00:00:46,830 which is something the exam may test you on. 19 00:00:46,830 --> 00:00:47,880 So on top of it, 20 00:00:47,880 --> 00:00:52,530 KMS can be used seamlessly into most AWS services. 21 00:00:52,530 --> 00:00:54,960 So for example, if you wanted to encrypt the data 22 00:00:54,960 --> 00:00:58,950 at rest in an EBS volume, just enable the KMS integration, 23 00:00:58,950 --> 00:01:01,620 same for S3, same for RDS, same for SSM, 24 00:01:01,620 --> 00:01:04,440 and same for pretty much all the services 25 00:01:04,440 --> 00:01:06,300 that require encryption. 26 00:01:06,300 --> 00:01:09,030 The idea is that with KMS, you can also use it yourself. 27 00:01:09,030 --> 00:01:11,370 And if you have secret data 28 00:01:11,370 --> 00:01:13,800 you never ever store them in plain text, 29 00:01:13,800 --> 00:01:17,070 that means just as is, especially in your code. 30 00:01:17,070 --> 00:01:18,657 So if you want to use KMS 31 00:01:18,657 --> 00:01:21,600 you can also use KMS through API calls. 32 00:01:21,600 --> 00:01:25,020 You can use the AWS CLI or the SDK. 33 00:01:25,020 --> 00:01:27,030 And that means that you can encrypt 34 00:01:27,030 --> 00:01:30,960 whatever is a secret for you with a KMS key, 35 00:01:30,960 --> 00:01:33,450 and then these encrypted secrets can be, for example 36 00:01:33,450 --> 00:01:36,420 stored in your code or in environment variables. 37 00:01:36,420 --> 00:01:38,280 That is a much better pattern. 38 00:01:38,280 --> 00:01:39,900 So now let's talk about the different types 39 00:01:39,900 --> 00:01:42,270 of KMS keys available to you. 40 00:01:42,270 --> 00:01:44,070 So now it's called the KMS key, 41 00:01:44,070 --> 00:01:45,193 by the way, it used to be called 42 00:01:45,193 --> 00:01:48,660 a KMS customer master key, but it was confusing 43 00:01:48,660 --> 00:01:51,090 because there's also the customer-managed keys 44 00:01:51,090 --> 00:01:52,440 as we'll see in a second. 45 00:01:52,440 --> 00:01:55,560 So now we just talk about KMS keys. 46 00:01:55,560 --> 00:01:57,630 So we have two types of KMS keys. 47 00:01:57,630 --> 00:02:00,120 We have the symmetric KMS keys, 48 00:02:00,120 --> 00:02:03,330 and that means there's only one single encryption key 49 00:02:03,330 --> 00:02:06,120 that is used to encrypt and decrypt data. 50 00:02:06,120 --> 00:02:09,060 And so any service of AWS that is integrated 51 00:02:09,060 --> 00:02:12,060 with KMS will use symmetric keys. 52 00:02:12,060 --> 00:02:16,530 The idea is that when we create or use a KMS symmetric key 53 00:02:16,530 --> 00:02:19,620 then we never get access to the key itself, okay? 54 00:02:19,620 --> 00:02:22,620 All we do is that we use the KMS API calls 55 00:02:22,620 --> 00:02:25,380 to leverage and use that key. 56 00:02:25,380 --> 00:02:28,350 The second kind of key available on KMS 57 00:02:28,350 --> 00:02:30,420 are called asymmetric keys. 58 00:02:30,420 --> 00:02:31,860 That means that you have two keys. 59 00:02:31,860 --> 00:02:33,180 You have a public key. 60 00:02:33,180 --> 00:02:34,890 That's used to encrypt data 61 00:02:34,890 --> 00:02:38,010 and a private key used to decrypt data. 62 00:02:38,010 --> 00:02:40,530 So this is used when you have Encrypt/Decrypt 63 00:02:40,530 --> 00:02:43,080 or Sing/Verify type of operations. 64 00:02:43,080 --> 00:02:45,420 And in that case, you can download the public key 65 00:02:45,420 --> 00:02:49,590 out of KMS, but you cannot use access the private key. 66 00:02:49,590 --> 00:02:50,970 You can only use API calls again 67 00:02:50,970 --> 00:02:53,040 to access the private key. 68 00:02:53,040 --> 00:02:56,490 So the use cases for an asymmetric type of key 69 00:02:56,490 --> 00:02:59,130 is when you want the encryption to be done 70 00:02:59,130 --> 00:03:01,590 outside of your AWS cloud 71 00:03:01,590 --> 00:03:06,390 by users who cannot, or don't have access to the KMS API key 72 00:03:06,390 --> 00:03:08,310 in which case they will use the public key 73 00:03:08,310 --> 00:03:11,280 to encrypt the data, send it over to you 74 00:03:11,280 --> 00:03:12,420 and you within your account, 75 00:03:12,420 --> 00:03:16,350 you will use the private key of AWS to decrypt that data. 76 00:03:16,350 --> 00:03:19,290 So within the world of KMS keys, you have different kinds. 77 00:03:19,290 --> 00:03:21,870 You have the AWS managed keys 78 00:03:21,870 --> 00:03:26,870 and they will be named for example, aws/rds or aws/ebs. 79 00:03:28,290 --> 00:03:29,670 So they're free to use, 80 00:03:29,670 --> 00:03:31,140 and they're really well integrated 81 00:03:31,140 --> 00:03:33,810 with these services and they're free 82 00:03:33,810 --> 00:03:36,090 so they are managed by AWS and you can use them 83 00:03:36,090 --> 00:03:39,300 to encrypt at rest for a specific service, 84 00:03:39,300 --> 00:03:41,580 but you can also decide to create your own 85 00:03:41,580 --> 00:03:46,410 Customer Managed Key CMK and you create them within KMS 86 00:03:46,410 --> 00:03:48,900 and it costs you a dollar per month per key. 87 00:03:48,900 --> 00:03:51,870 Or you can also decide to import your own key material 88 00:03:51,870 --> 00:03:55,950 into KMS with versus creating it from within KMS. 89 00:03:55,950 --> 00:03:59,100 And this will cost you as well, $1 per month. 90 00:03:59,100 --> 00:04:00,570 On top of it, you will pay 91 00:04:00,570 --> 00:04:03,150 for every API call you make to KMS, 92 00:04:03,150 --> 00:04:06,743 so it's around 3 cents per 10,000 API calls. 93 00:04:06,743 --> 00:04:09,390 You can set up automatic key rotation 94 00:04:09,390 --> 00:04:11,370 for your keys for security. 95 00:04:11,370 --> 00:04:14,790 So if you are using the AWS managed key 96 00:04:14,790 --> 00:04:15,870 then it's automatic, 97 00:04:15,870 --> 00:04:17,640 it happens every one year. 98 00:04:17,640 --> 00:04:21,269 And if you're using your customer-managed KMS key 99 00:04:21,269 --> 00:04:22,710 you must enable it. 100 00:04:22,710 --> 00:04:24,360 And you, if you do enable it 101 00:04:24,360 --> 00:04:27,480 you have it automatically happen every one year, 102 00:04:27,480 --> 00:04:29,640 you cannot change the frequency. 103 00:04:29,640 --> 00:04:33,420 If you decide to import your own key material into KMS 104 00:04:33,420 --> 00:04:36,450 then you can only do manual rotation of keys, 105 00:04:36,450 --> 00:04:39,180 and you must also use what's called a KMS key alias 106 00:04:39,180 --> 00:04:40,630 to do the rotation correctly. 107 00:04:41,670 --> 00:04:44,580 So KMS keys are scoped per region. 108 00:04:44,580 --> 00:04:46,590 That means that if we have an EBS volume 109 00:04:46,590 --> 00:04:51,390 encrypted with KMS key in a region, for example, eu-west-2, 110 00:04:51,390 --> 00:04:54,120 then if you want to copy that to a different region 111 00:04:54,120 --> 00:04:55,980 we have to do several steps. 112 00:04:55,980 --> 00:04:59,910 First of all, we have to take a snapshot of this EBS volume. 113 00:04:59,910 --> 00:05:02,610 And if we take a snapshot from an encrypted snapshot 114 00:05:02,610 --> 00:05:04,980 then this snapshot itself will also be encrypted 115 00:05:04,980 --> 00:05:06,930 with the same KMS key. 116 00:05:06,930 --> 00:05:10,440 Then to copy the snapshot to another region, 117 00:05:10,440 --> 00:05:12,630 we need to re-encrypt the snapshot 118 00:05:12,630 --> 00:05:14,400 using a different KMS key. 119 00:05:14,400 --> 00:05:17,130 And this is something AWS will do for you 120 00:05:17,130 --> 00:05:20,700 but the same KMS key, cannot live in two regions. 121 00:05:20,700 --> 00:05:22,590 So now we have an EBS snapshot, 122 00:05:22,590 --> 00:05:25,290 it's encrypted with KMS with a different key 123 00:05:25,290 --> 00:05:27,120 and it lives in another region. 124 00:05:27,120 --> 00:05:30,840 Now we restore the snapshot into its own EBS volume 125 00:05:30,840 --> 00:05:35,840 with KMS, and it's KMS key B into the region ap-southeast-2. 126 00:05:37,590 --> 00:05:39,090 Now, the other thing we need to know about 127 00:05:39,090 --> 00:05:41,100 is KMS key policies. 128 00:05:41,100 --> 00:05:43,950 So this is to control access to your KMS keys. 129 00:05:43,950 --> 00:05:47,280 It's similar to an S3 bucket policy with a difference 130 00:05:47,280 --> 00:05:50,310 that if you don't have the KMS key policy on your KMS key 131 00:05:50,310 --> 00:05:52,410 then no one can access it. 132 00:05:52,410 --> 00:05:55,620 So in that regards, we have two types of KMS key policies. 133 00:05:55,620 --> 00:05:57,360 We have the default one, 134 00:05:57,360 --> 00:05:59,190 and it's created if you don't provide 135 00:05:59,190 --> 00:06:02,010 a specific custom KMS key policy. 136 00:06:02,010 --> 00:06:04,860 And the idea is that the default allows everyone 137 00:06:04,860 --> 00:06:07,650 in your account to access this key. 138 00:06:07,650 --> 00:06:11,160 That means that if you have an IAM policy allowing a user 139 00:06:11,160 --> 00:06:13,890 or all to access this key policy, you're good. 140 00:06:13,890 --> 00:06:17,100 But if you wanted to have more specific controls over it 141 00:06:17,100 --> 00:06:20,250 you could use a KMS key policy that is custom 142 00:06:20,250 --> 00:06:21,960 in which you define the users, 143 00:06:21,960 --> 00:06:24,810 the roles that can access your KMS key. 144 00:06:24,810 --> 00:06:26,910 And you define who can administer the key. 145 00:06:26,910 --> 00:06:28,650 And this is especially helpful 146 00:06:28,650 --> 00:06:32,400 if you want to do cross account access for your KMS key, 147 00:06:32,400 --> 00:06:36,120 because we can authorize another account to use our KMS key. 148 00:06:36,120 --> 00:06:37,560 So when do we use this? 149 00:06:37,560 --> 00:06:39,780 Well, for example, if we wanted to copy 150 00:06:39,780 --> 00:06:42,390 an encrypted snapshots across accounts. 151 00:06:42,390 --> 00:06:45,600 So we create a snapshot encrypted with our own KMS key 152 00:06:45,600 --> 00:06:47,100 and it's a customer-managed key, 153 00:06:47,100 --> 00:06:47,933 it must be that 154 00:06:47,933 --> 00:06:50,550 because we need to attach a custom key policy, 155 00:06:50,550 --> 00:06:53,790 and then we attach a KMS key policy to authorize 156 00:06:53,790 --> 00:06:55,650 for cross-account access. 157 00:06:55,650 --> 00:06:57,210 It looks like this. 158 00:06:57,210 --> 00:06:59,880 Then we share the encrypted snapshot 159 00:06:59,880 --> 00:07:01,890 with the target accounts. 160 00:07:01,890 --> 00:07:05,310 And then in the target accounts, we create a copy 161 00:07:05,310 --> 00:07:07,380 of the snapshot and we encrypt it 162 00:07:07,380 --> 00:07:09,540 with a different customer-managed key 163 00:07:09,540 --> 00:07:11,550 in that target account. 164 00:07:11,550 --> 00:07:12,810 And then we can create a volume 165 00:07:12,810 --> 00:07:16,230 from the snapshot in the target accounts and we're done. 166 00:07:16,230 --> 00:07:18,300 So that's a lot of information about KMS, 167 00:07:18,300 --> 00:07:19,650 but let's go into hands on 168 00:07:19,650 --> 00:07:21,933 to hopefully learn a bit more about it.