1
00:00:00,270 --> 00:00:02,580
‫So now let's talk about AWS KMS

2
00:00:02,580 --> 00:00:05,640
‫which is the key management service of AWS.

3
00:00:05,640 --> 00:00:08,010
‫So we've been using it, you know, a lot without knowing,

4
00:00:08,010 --> 00:00:12,360
‫but anytime you hear encryption when you have an AWS service

5
00:00:12,360 --> 00:00:15,090
‫it's most likely going to be KMS encryption.

6
00:00:15,090 --> 00:00:17,580
‫The aim is that with this KMS service

7
00:00:17,580 --> 00:00:20,370
‫AWS is going to manage the encryption keys for us.

8
00:00:20,370 --> 00:00:21,630
‫And that's great because that means

9
00:00:21,630 --> 00:00:23,520
‫that we have less things to do.

10
00:00:23,520 --> 00:00:27,030
‫So KMS is of course fully integrated with IAM

11
00:00:27,030 --> 00:00:30,660
‫for authorization and it gives us very easy ways

12
00:00:30,660 --> 00:00:35,190
‫to control access to our data if it's encrypted with KMS.

13
00:00:35,190 --> 00:00:38,070
‫The power of using AWS KMS is that you're able

14
00:00:38,070 --> 00:00:40,560
‫to audit every single API call

15
00:00:40,560 --> 00:00:43,740
‫made to use your keys through CloudTrail,

16
00:00:43,740 --> 00:00:46,800
‫which is something the exam may test you on.

17
00:00:46,800 --> 00:00:50,310
‫So on top of it KMS can be used seamlessly

18
00:00:50,310 --> 00:00:52,500
‫into most AWS services.

19
00:00:52,500 --> 00:00:55,650
‫So for example, if you wanted to encrypt the data at rest

20
00:00:55,650 --> 00:00:58,920
‫in an EBS volume, just enable the KMS integration.

21
00:00:58,920 --> 00:01:02,040
‫Same for S3, same for RDS, same for SSM, and the same

22
00:01:02,040 --> 00:01:06,270
‫for pretty much all the services that require encryption.

23
00:01:06,270 --> 00:01:09,000
‫The idea is that with KMS, you can also use it yourself.

24
00:01:09,000 --> 00:01:11,310
‫And if you have secrets data

25
00:01:11,310 --> 00:01:13,770
‫you never ever store them in plain text.

26
00:01:13,770 --> 00:01:17,040
‫That means just as is, especially in your code.

27
00:01:17,040 --> 00:01:18,840
‫So if you want to use KMS

28
00:01:18,840 --> 00:01:21,570
‫you can also use KMS through API calls.

29
00:01:21,570 --> 00:01:24,960
‫You can use the AWS CLI or the SDK.

30
00:01:24,960 --> 00:01:27,570
‫And that means that you can encrypt whatever

31
00:01:27,570 --> 00:01:30,900
‫is a secret for you with a KMS key.

32
00:01:30,900 --> 00:01:33,420
‫And then these encrypted secrets can be, for example,

33
00:01:33,420 --> 00:01:36,360
‫stored in your code or in environment variables.

34
00:01:36,360 --> 00:01:38,250
‫That is a much better pattern.

35
00:01:38,250 --> 00:01:39,840
‫So now let's talk about the different types

36
00:01:39,840 --> 00:01:42,240
‫of KMS keys available to you.

37
00:01:42,240 --> 00:01:44,460
‫So now it's called the KMS key, by the way.

38
00:01:44,460 --> 00:01:47,580
‫It used to be called the KMS customer master key,

39
00:01:47,580 --> 00:01:49,350
‫but it was confusing because there's also

40
00:01:49,350 --> 00:01:52,380
‫the customer managed keys as we'll see in a second.

41
00:01:52,380 --> 00:01:55,500
‫So now we just talk about KMS keys.

42
00:01:55,500 --> 00:01:57,600
‫So we have two types of KMS keys.

43
00:01:57,600 --> 00:02:00,900
‫We have the symmetric KMS keys, and that means

44
00:02:00,900 --> 00:02:03,300
‫there's only one single encryption key

45
00:02:03,300 --> 00:02:06,210
‫that is used to encrypt and decrypt data.

46
00:02:06,210 --> 00:02:09,030
‫And so any service of AWS that is integrated

47
00:02:09,030 --> 00:02:12,000
‫with KMS will use symmetric keys.

48
00:02:12,000 --> 00:02:16,500
‫The idea is that when we create or use a KMS symmetric key

49
00:02:16,500 --> 00:02:19,560
‫then we never get access to the key itself, okay?

50
00:02:19,560 --> 00:02:22,590
‫All we do is that we use the KMS API calls

51
00:02:22,590 --> 00:02:25,350
‫to leverage and use that key.

52
00:02:25,350 --> 00:02:27,600
‫The second kind of key available

53
00:02:27,600 --> 00:02:30,390
‫on KMS are called asymmetric keys.

54
00:02:30,390 --> 00:02:31,800
‫That means that you have two keys.

55
00:02:31,800 --> 00:02:34,860
‫You have a public key that's used to encrypt data

56
00:02:34,860 --> 00:02:37,980
‫and a private key used to decrypt data.

57
00:02:37,980 --> 00:02:40,500
‫So this used when you have encrypt/decrypt,

58
00:02:40,500 --> 00:02:43,020
‫or sign/verify type of operations.

59
00:02:43,020 --> 00:02:45,360
‫And in that case, you can download the public key

60
00:02:45,360 --> 00:02:49,560
‫out of KMS, but you cannot access the private key.

61
00:02:49,560 --> 00:02:53,010
‫You can only use API calls, again to access the private key.

62
00:02:53,010 --> 00:02:55,350
‫So the use cases for an asymmetric

63
00:02:55,350 --> 00:02:59,100
‫type of key is when you want the encryption to be done

64
00:02:59,100 --> 00:03:02,730
‫outside of your AWS cloud by users who cannot

65
00:03:02,730 --> 00:03:06,360
‫or don't have access to the KMS API key,

66
00:03:06,360 --> 00:03:08,250
‫in which case they will use the public key

67
00:03:08,250 --> 00:03:11,220
‫to encrypt the data, send it over to you,

68
00:03:11,220 --> 00:03:13,697
‫and you, within your account, you will use the private key

69
00:03:13,697 --> 00:03:16,200
‫of AWS to decrypt that data.

70
00:03:16,200 --> 00:03:18,030
‫So within the world of KMS keys

71
00:03:18,030 --> 00:03:20,250
‫you have different types of KMS keys.

72
00:03:20,250 --> 00:03:23,310
‫The first one are AWS owned keys.

73
00:03:23,310 --> 00:03:26,850
‫They're free and this is the kind of key you would use

74
00:03:26,850 --> 00:03:30,210
‫when you use SSE-S3 type of encryption

75
00:03:30,210 --> 00:03:33,540
‫or SSE-DynamoDB where you have the option, for example,

76
00:03:33,540 --> 00:03:36,540
‫that you choose a key owned by DynamoDB.

77
00:03:36,540 --> 00:03:38,100
‫So these are not really KMS because

78
00:03:38,100 --> 00:03:39,210
‫you don't really see them,

79
00:03:39,210 --> 00:03:42,690
‫but they're types of encryption keys within AWS.

80
00:03:42,690 --> 00:03:46,620
‫Then you have the AWS-managed keys, and they're free,

81
00:03:46,620 --> 00:03:48,630
‫and you will recognize them because they start

82
00:03:48,630 --> 00:03:51,750
‫with AWS, slash, and then the service name.

83
00:03:51,750 --> 00:03:55,230
‫For example aws/rds or aws/ebs,

84
00:03:55,230 --> 00:03:58,650
‫or in this example aws/dynamodb.

85
00:03:58,650 --> 00:04:01,350
‫They're free and you can just use them as you please

86
00:04:01,350 --> 00:04:05,100
‫but only from within the service that it's assigned to.

87
00:04:05,100 --> 00:04:07,710
‫Then you have your own customer-managed keys,

88
00:04:07,710 --> 00:04:10,800
‫and they're custom keys, and they cost you $1 per month.

89
00:04:10,800 --> 00:04:12,300
‫And if you want to import them as well,

90
00:04:12,300 --> 00:04:15,570
‫you can import them and they cost you $1 per month.

91
00:04:15,570 --> 00:04:17,850
‫KMS also has a pricing where you're going to pay

92
00:04:17,850 --> 00:04:20,850
‫for each API call made it to the KMS service,

93
00:04:20,850 --> 00:04:24,123
‫which is about 3 cents per 10,000 API calls.

94
00:04:24,990 --> 00:04:27,180
‫You also have automatic key rotation.

95
00:04:27,180 --> 00:04:30,000
‫So if it's an AWS-managed KMS key

96
00:04:30,000 --> 00:04:32,100
‫then it's automatic, every 1 year.

97
00:04:32,100 --> 00:04:35,100
‫And if it's a customer managed key that you've created

98
00:04:35,100 --> 00:04:37,890
‫from within KMS, then you must enable

99
00:04:37,890 --> 00:04:40,080
‫automatic rotation, and it's every 1 year.

100
00:04:40,080 --> 00:04:42,510
‫And if it's imported KMS key

101
00:04:42,510 --> 00:04:44,640
‫then you can only manually rotate it.

102
00:04:44,640 --> 00:04:47,013
‫And for this you need to leverage an alias.

103
00:04:47,970 --> 00:04:50,850
‫So KMS key are scoped per region.

104
00:04:50,850 --> 00:04:53,460
‫That means that if we have an EBS volume encrypted

105
00:04:53,460 --> 00:04:57,690
‫with KMS key in a region, for example, eu-west-2,

106
00:04:57,690 --> 00:05:00,390
‫then if you want to copy that to a different region

107
00:05:00,390 --> 00:05:02,280
‫we have to do several steps.

108
00:05:02,280 --> 00:05:06,210
‫First of all, we have to take a snapshot of this EBS volume.

109
00:05:06,210 --> 00:05:08,880
‫And if we take a snapshot from an encrypted snapshot

110
00:05:08,880 --> 00:05:11,280
‫then this snapshot itself will also be encrypted

111
00:05:11,280 --> 00:05:13,200
‫with the same KMS key.

112
00:05:13,200 --> 00:05:16,710
‫Then, to copy the snapshot to another region,

113
00:05:16,710 --> 00:05:18,900
‫we need to re-encrypt the snapshot

114
00:05:18,900 --> 00:05:20,880
‫using a different KMS key.

115
00:05:20,880 --> 00:05:23,430
‫And this is something AWS will do for you.

116
00:05:23,430 --> 00:05:27,000
‫But the same KMS key cannot live in two regions.

117
00:05:27,000 --> 00:05:28,890
‫So now we have an EBS snapshot.

118
00:05:28,890 --> 00:05:31,590
‫It's encrypted with KMS with a different key

119
00:05:31,590 --> 00:05:33,390
‫and it lives in another region.

120
00:05:33,390 --> 00:05:37,140
‫Now we restore the snapshot into its own EBS volume

121
00:05:37,140 --> 00:05:42,140
‫with KMS, and it's KMS key B into the region ap-southeast-2.

122
00:05:43,860 --> 00:05:45,170
‫Now, the other thing we need to know about

123
00:05:45,170 --> 00:05:47,370
‫is KMS key policies.

124
00:05:47,370 --> 00:05:50,220
‫So this is to control access to your KMS keys.

125
00:05:50,220 --> 00:05:52,920
‫It's similar to ASWS S3 bucket policy

126
00:05:52,920 --> 00:05:55,740
‫with a difference that if you don't have a KMS key policy

127
00:05:55,740 --> 00:05:58,680
‫on your KMS key, then no one can access it.

128
00:05:58,680 --> 00:06:01,920
‫So in that regards, we have two types of KMS key policies.

129
00:06:01,920 --> 00:06:04,590
‫We have the default one, and it's created

130
00:06:04,590 --> 00:06:08,280
‫if you don't provide a specific custom KMS key policy.

131
00:06:08,280 --> 00:06:11,160
‫And the idea is that the default allows everyone

132
00:06:11,160 --> 00:06:13,950
‫in your account to access this key.

133
00:06:13,950 --> 00:06:16,410
‫That means that if you have an IAM policy

134
00:06:16,410 --> 00:06:18,840
‫allowing a user or role to access this key policy,

135
00:06:18,840 --> 00:06:20,190
‫you're good.

136
00:06:20,190 --> 00:06:23,430
‫But if you wanted to have more specific controls over it,

137
00:06:23,430 --> 00:06:26,550
‫you could use a KMS key policy that is custom,

138
00:06:26,550 --> 00:06:28,980
‫in which you define the users the roles

139
00:06:28,980 --> 00:06:31,080
‫that can access your KMS key.

140
00:06:31,080 --> 00:06:33,180
‫And you define who can administer the key.

141
00:06:33,180 --> 00:06:35,400
‫And this is especially helpful if you want

142
00:06:35,400 --> 00:06:38,670
‫to do cross-account access for your KMS key,

143
00:06:38,670 --> 00:06:42,390
‫because we can authorize another account to use our KMS key.

144
00:06:42,390 --> 00:06:43,860
‫So when do we use this?

145
00:06:43,860 --> 00:06:46,020
‫Well, for example, if we wanted to copy

146
00:06:46,020 --> 00:06:48,690
‫an encrypted snapshots across accounts.

147
00:06:48,690 --> 00:06:51,930
‫So we create a snapshot encrypted with our own KMS key,

148
00:06:51,930 --> 00:06:53,400
‫and it's a customer managed key.

149
00:06:53,400 --> 00:06:54,570
‫It must be that because we need

150
00:06:54,570 --> 00:06:56,850
‫to attach a custom key policy.

151
00:06:56,850 --> 00:06:59,310
‫And then we attach a KMS key policy

152
00:06:59,310 --> 00:07:01,950
‫to authorize for cross-account access.

153
00:07:01,950 --> 00:07:03,480
‫It looks like this.

154
00:07:03,480 --> 00:07:06,180
‫Then we share the encrypted snapshot

155
00:07:06,180 --> 00:07:08,190
‫with the target accounts.

156
00:07:08,190 --> 00:07:11,580
‫And then in the target account we create a copy

157
00:07:11,580 --> 00:07:14,400
‫of the snapshot and we encrypt it with a different

158
00:07:14,400 --> 00:07:17,850
‫customer-managed key in that target account.

159
00:07:17,850 --> 00:07:19,700
‫And then we can create a volume from the snapshot

160
00:07:19,700 --> 00:07:22,530
‫in the target account, and we're done.

161
00:07:22,530 --> 00:07:24,570
‫So that's a lot of information by KMS,

162
00:07:24,570 --> 00:07:26,970
‫but let's go into hands-on to hopefully

163
00:07:26,970 --> 00:07:28,270
‫learn a bit more about it.