AWS KMS for PCI DSS: KEK & DEK Usage

TL;DR

Yes, AWS Key Management Service (KMS) can be used for both Key Encryption Keys (KEKs) and Data Encryption Keys (DEKs) to meet PCI DSS requirements. However, careful configuration is essential to ensure compliance. This guide outlines the steps and considerations.

Using KMS for KEK & DEK

1. Understand the Roles:
• KEK (Key Encryption Key): Encrypts other keys (DEKs). It’s typically stored more securely.
• DEK (Data Encryption Key): Encrypts your actual data.
2. Create a KMS Key for the KEK:

Use the AWS Management Console, CLI or SDK to create a symmetric KMS key.

aws kms create-key --description "KEK for PCI DSS" --policy '{"Statement": [{"Sid": "Allow KMS Key Usage", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER_NAME"}, "Action": ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey"], "Resource": "arn:aws:kms:YOUR_REGION:YOUR_ACCOUNT_ID:key/YOUR_KEK_KEY_ID"}]}'

Important: Restrict access to this key using IAM policies. Only authorized personnel and services should be able to use it.

3. Create KMS Keys for DEKs:

For each dataset requiring encryption, create a separate symmetric KMS key to act as the DEK. This improves security by limiting the impact of a single compromised key.

aws kms create-key --description "DEK for PCI DSS - Dataset 1" --policy '{"Statement": [{"Sid": "Allow KMS Key Usage", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:user/YOUR_USER_NAME"}, "Action": ["kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey"], "Resource": "arn:aws:kms:YOUR_REGION:YOUR_ACCOUNT_ID:key/YOUR_DEK_KEY_ID"}]}'

Again, restrict access using IAM policies.

4. Encrypt Data with DEKs:

Use the KMS API or SDK to encrypt your data using the appropriate DEK. AWS services like S3 and EBS can directly integrate with KMS for encryption at rest.

5. Encrypt DEKs with the KEK:

After encrypting the data with a DEK, encrypt the DEK itself with the KEK. This provides an extra layer of security.

aws kms encrypt --key-id YOUR_KEK_KEY_ID --plaintext $(base64 YOUR_DEK_BASE64)

6. Secure Storage of Encrypted DEKs:

Store the encrypted DEKs in a secure location, separate from the data they encrypt. AWS S3 with appropriate access controls is often used.

7. Key Rotation:
• Enable automatic key rotation for both KEK and DEK keys within KMS. This minimizes the impact of potential compromises.
• PCI DSS requires regular key rotation; ensure your configuration meets these requirements (typically annually, or more frequently).
8. Access Control & Auditing:
• Implement strict IAM policies to control access to KMS keys. Use the principle of least privilege.
• Enable CloudTrail logging for all KMS API calls. Regularly review these logs for suspicious activity.
9. Monitoring and Alerting:

Set up monitoring alerts for key usage, access attempts, and any unusual activity related to your KMS keys.

Important Considerations

• HSM vs. Standard Keys: For the highest level of security, consider using AWS CloudHSM keys for your KEK.
• Separation of Duties: Ensure that different personnel manage the KEK and DEKs to prevent collusion.
• Documentation: Maintain detailed documentation of your KMS key management process, including key rotation schedules, access controls, and auditing procedures.