AWS KMS uses Symmetric Cryptography

KMS is a managed service used to store and generate encryption keys that used by other AWS services and applications

  • S3 may use the KMS to enable S3 to offer and perform server-side encryption using SSE-KMS
  • KMS contains the keys to decrypt your private data
  • Administrators at AWS don’t have access to your keys witin KMS
  • All administrative actions require dual authenticatin by two Amazon adminstrators
  • It’s our responsibility to administer our own encryption keys
  • The KMS service is for encryption at rest
  • To encrypt data while in transit you would need to use a different method, such as SSL

Server side

  • Encryption done by the server
  • Backend servers that encrypt the data as it arrives transparent to the end user
  • The overhead of performing the encryption and managing the keys is handled by ther server

Client side

  • Encryption done by the end user
  • Requires the user to interact with the data to make the data encrypted
  • The overhead of the encryption process is on the client

Compliance and Regulations

KMS works seamlessly with AWS CloudTrail to audit and track how you encryption keys are being used and by whom

Region

KMS is not a multi-region service, it is region specific

Founder of Nadtakan.com & Serverless Cloud developer. Follow me on Twitter https://twitter.com/NadtakanF