Tamnoon Academy
AWS Customer Master Key (CMK)
AWS Customer Master Key (CMK)
Encryption is vital to protecting the integrity and confidentiality of sensitive data, as is understanding how it is applied in one’s products and services.
Amazon Web Services (AWS) primarily supports encrypted key management through its Key Management Service (KMS). The AWS KMS key, formerly known as a Customer Master Key(CMK), is the foundation of this service.
Learn about Tamnoon's Vulnerability Management Services
Tamnoon's team can assist or fully manage your cloud vulnerabilities with our team of experienced CloudPros.
What is a Customer Master Key?
Within AWS, a CMK is a key that manages the encryption and decryption of customer data.
Capable of managing up to 4 KB at a time, CMKs provide extensive control over how and where data is encrypted. Larger datasets require envelope encryption, in which the CMK generates a data key.
CMKs are customizable and highly secure, safeguarded through FIPS 140-3 validated hardware security modules (HSMs). Their region-specificity also supports regulatory compliance and helps minimize vulnerabilities.
Although Amazon has rebranded CMKs to AWS KMS keys, their core functionality remains unchanged.
How Amazon's KMS Works
The AWS Key Management Service (KMS) is a global service that allows users to create, manage, and employ encryption keys across over 60 AWS services.
It centralizes key management for all connected services into a single platform and supports symmetric and asymmetric encryption. The service also provides additional features such as automatic key rotation and auditing.
Types of CMK in AWS
CMKs are categorized in two ways. First, by the type of encryption they support:
- Symmetric CMKs use the same key for both encryption, decryption, and verification. They cannot be used for digital signing, which requires asymmetric encryption.
- Asymmetric CMKs use a public key for encryption and a private key for decryption. They also use separate keys for encryption/decryption and validation/signing.
CMKs may also be classified based on who owns and manages them:
- Customer Managed Keys are owned, created, and managed entirely by the customer.
- AWS Managed Keys are limited to specific AWS services and are created and managed by Amazon, but customers can still audit keys and view policies through their dashboard.
- AWS Owned Keys are created, managed, and owned entirely by Amazon and cannot be viewed or controlled by customers.
Use Cases for AWS CMK Encryption in Cloud Security
If your organization leverages AWS, encryption keys are an essential component of security, with applications that include, but are not limited to:
Encrypting At-Rest Data
AWS keys can encrypt data stored in S3 buckets, EBS volumes attached to EC2 instances, and DynamoDB tables.
Encrypting Data In Transit
Several AWS services are specifically designed to encrypt in-transit data, including AWS Certificate Manager and AWS CloudFront. Both services integrate with other AWS offerings, using keys to protect data and indirectly manage certificates.
Regulatory Compliance
Because AWS KMS keys provide granular control over encryption, they allow customers to ensure their data is encrypted in a specific manner. This is invaluable for complying with regulations, such as HIPAA, the GDPR, and PCI-DSS.
Secure Application Development
By leveraging AWS SDKs, developers can integrate keys directly into their code, allowing them to control how their application encrypts and accesses data.
Digital Signing
As mentioned above, asymmetric keys can validate the integrity and authenticity of data, especially digital signatures.
