Customer Master Key (CMK) Policy Management in AWS KMS (2024)

Table of Contents
What is a Customer Master Key (CMK)? How To Manage Access To Your CMKs The key policy applied to a CMK created through the AWS KMS API The key policy applied to a CMK created through the AWS Management Console Sources:

What is a Customer Master Key (CMK)?

In security, a master key is what you use to encrypt all other encryption keys in your system. Customer master keys are logical representations of a master key. They are the primary resources in AWS KMS. The CMK contains the key material used to encrypt and decrypt data. It also contains metadata such as the key ID, creation date, description, and key state.

You can start using AWS KMS through the web console or via API. There are two types of CMKs that you can create in AWS KMS: symmetric CMK and asymmetric CMK.

  • A symmetric CMK is a 256-bit key that is used for standard encryption and decryption.
  • An asymmetric CMK, on the other hand, is an RSA key pair that is used for encryption and decryption or signing and verification, but not both, or an elliptic curve (ECC) key pair that is used for signing and verification.

Likewise, AWS breaks down CMK ownership into three categories: customer-managed CMKs, AWS managed CMKs, and AWS owned CMKs. Generally, when you create a CMK, AWS KMS provides the key material for it; But if you require to have full control of your keys, customer-managed CMKs allow you to upload your own key material into AWS. The level of control you have varies for each category, with customer-managed CMKs being the most unrestricted, to AWS owned CMKs being the most restrictive.

See Also
Frequently Asked Questions for product keys.Get help with Windows activation errorsKey Management Services (KMS) client activation and product keys for Windows Server and WindowsActivate Windows Server 2019 with KMS or the command line | TechTarget

Customer Master Key (CMK) Policy Management in AWS KMS (1)

How To Manage Access To Your CMKs

To protect your CMKs from unauthorized access, you must attach a key policy to it. Key policies help protect your CMKs by defining specific requirements that must be fulfilled before an action is permitted. The policy structure is similar to IAM policies, and it also uses JSON formatting. Here is a basic example of a key policy:

Customer Master Key (CMK) Policy Management in AWS KMS (2)

See Also
Microsoft Activation Scripts (MAS)

To create your key policy, you must first indicate the policy version you will be using. Then in the statement body, you must include the following parameters:

  • Effect – indicates whether the policy will allow or deny actions
  • Principal – the identity to which the policy will grant or deny permissions to
  • Action – the permissions that you want to grant/deny to the principal
  • Resource – the list of objects that your policy will be applied to

You can also include the following optional parameters in your statement body:

  • Sid – a unique identifier for your policy
  • Conditions – conditions that need to be met before your policy takes effect

The AWS KMS documentation has a list of all accepted values for the policy body, along with some examples to guide you through.

The key policy applied to a CMK created through the AWS KMS API

When you create a CMK using the API and you do not provide a key policy in the parameters, AWS automatically creates and assigns a default key policy for your CMK. This default key policy has one policy statement that gives the AWS root account that owns the CMK full access to the CMK and enables IAM policies in the account to allow access to the CMK. If later on, you decide to change the contents of the key policy, you need to create a new policy and attach it to your CMK to replace the old one.

The key policy applied to a CMK created through the AWS Management Console

When you create a CMK with the AWS Management Console, you can choose the IAM users, IAM roles, and AWS accounts that should be given access to the CMK, and these will be added to a default key policy that the console creates for you. With the console, you can view or modify your key policies. The default key policy gives the AWS root account that owns the CMK full access to the CMK. You can also specify in the default key policy which IAM users and roles will be key administrators and key users, which have different respective policy statements.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Examsand read our Security Specialty exam study guide.

Customer Master Key (CMK) Policy Management in AWS KMS (3)

Sources:

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys
https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html
https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access

Customer Master Key (CMK) Policy Management in AWS KMS (2024)
Top Articles
What Video Poker Game Is Best to Play?
Residential Fire Sprinkler System Retrofits: Costs & Considerations
1303 Neubauer Cir #703, Lindenhurst, IL 60046 | 15 Photos - Movoto
OCT 2018 PVL PDF Conversion - Premier€¦ · Ekla Corporation C Change Surgical LLC Lively Distributing Charles Solana & Sons Pacific Surgical Specialties - Distribution, Inc. Cubex - [PDF Document]
Latest Posts
Create issues and comments from email | Atlassian Support
Manage and resolve issues or impediments in Azure Boards - Azure Boards
Article information

Author: Dong Thiel

Last Updated:

Views: 5919

Rating: 4.9 / 5 (79 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Dong Thiel

Birthday: 2001-07-14

Address: 2865 Kasha Unions, West Corrinne, AK 05708-1071

Phone: +3512198379449

Job: Design Planner

Hobby: Graffiti, Foreign language learning, Gambling, Metalworking, Rowing, Sculling, Sewing

Introduction: My name is Dong Thiel, I am a brainy, happy, tasty, lively, splendid, talented, cooperative person who loves writing and wants to share my knowledge and understanding with you.