Blog | G5 Cyber Security

AWS KMS: Avoid Using One Key For Everything

G5 Cyber Security

TL;DR

Using a single AWS KMS key for all your encryption needs is risky and limits flexibility. This guide shows you how to create separate keys based on purpose, manage them effectively, and avoid common pitfalls.

Why Not Use One Key?

How to Create and Manage Multiple KMS Keys

  1. Identify Data Types & Access Needs: First, figure out what data you’re encrypting and who needs access.
    • Example: Separate keys for database encryption, S3 bucket encryption, code signing.
  2. Create Keys in AWS KMS: Use the AWS Management Console or CLI to create new KMS keys. 
    aws kms create-key --description "Key for encrypting production databases"
  3. Tag Your Keys: Add tags to help you identify and manage your keys. This is crucial!
    • Example Tags: Environment (Production, Staging), Purpose (Database, S3).
  4. Grant Access with IAM Policies: Control who can use each key. 
    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "kms:Encrypt", "Resource": "arn:aws:kms:YOUR_REGION:YOUR_ACCOUNT_ID:key/YOUR_KEY_ID" } ] }

    Replace YOUR_REGION, YOUR_ACCOUNT_ID and YOUR_KEY_ID with your actual values.

  5. Use the Correct Key in Your Applications: Update your code to specify the correct KMS key for each operation.
    • When using the AWS SDK, explicitly pass the key ID or ARN.
    • Example (Python): client = boto3.client('kms', region_name='YOUR_REGION') client.encrypt(KeyId='arn:aws:kms:YOUR_REGION:YOUR_ACCOUNT_ID:key/YOUR_KEY_ID', ...
  6. Enable Key Rotation: KMS automatically rotates keys, but ensure rotation is enabled for each key.
    • Check the ‘Rotation policy’ in the AWS Management Console.
  7. Monitor Key Usage: Use CloudTrail to track who is using your keys and when.
    • Set up alerts for unusual key usage patterns.

Key Management Best Practices

Exit mobile version