KMS
Definition
KMS, or Key Management Service, is a cloud-based service that allows users to create, manage, and control cryptographic keys used to encrypt and decrypt data. It provides a centralized way to handle encryption keys, ensuring they are stored securely and accessed only by authorized entities. KMS is integral to maintaining data confidentiality and integrity across various cloud services and applications.
Secure Settings Example
# AWS KMS Key Policy Example
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/ExampleUser"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/KeyAdminRole"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
]
}
Insecure Settings Example
# AWS KMS Key Policy Example with overly permissive access
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Allow all actions to everyone",
"Effect": "Allow",
"Principal": "*",
"Action": "kms:*",
"Resource": "*"
}
]
}