Questions tagged with AWS Key Management Service

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

1
answers
0
votes
64
views
asked 8 months ago

Application side data protection with FIPS 140-2 Level 3 : what to use out of Encryption SDK, KMS or Cloud HSM?

Hello there, I do have a requirement in my application to encrypt and decrypt data using a symmetric key algorithm (mostly AES/CBC/PKCS5Padding). CONSTRAINT and Requirements are 1. I need to use FIPS 140-2 Level 3 compliant key storage solution 2. This is an existing encrypted data and hence I should be able to import my existing keys (plain keys) to whatever solution I use. 3. Even in the future, keys should be open for EXPORT so that encrypted data with this new solution WILL NOT require another re-encryption with new keys. Keeping the above points in mind, I came across below solutions so far and need guidance and help if someone finds that not a good solution or it will break any of the above requirements I listed. 1. I can use AWS Encryption SDK with AWS KMS using a custom key store where the custom key store would be my own Cloud HSM. 2. I can directly use Cloud HSM by leveraging standard Cloud HSM integration using Cloud HSM JCE provider and client SDK. 3. I can AWS KMS with KMS API with a custom key store where the custom key store would be my own Cloud HSM. I knew #2 will work without breaking any of my requirement and compliance list but I want to see if I can use Encryption SDK and/or KMS for my use case as I can get help of SDK to choose best industry practices to write cryptography code instead of I write whole code (in case of Cloud HSM integration) but below points will stop me. 1. Custom key stores can not work with imported keys so it will break my requirement #2. 2. I can use AWS Encryption SDK with KMS but as import does not work for custom key stores, it's not usable any more. Can I use AWS Encryption SDK somehow to help me with data encryption directly with Cloud HSM? 3. Data enveloper protection (by AWS Encryption SDK) is really more secure for symmetric key encryption. If I use that today and later want to move to Cloud HSM, will it break the decryption flow? Any suggestion/experience learning/insights or architectural direction is greatly appreciated.
1
answers
0
votes
204
views
kp
asked 9 months ago

S3 bucket creation with encryption is failing because of AWSSamples::S3BucketEncrypt::Hook

Hi, I have activated **AWSSamples::S3BucketEncrypt::Hook** with the following configuration but S3 bucket creation with encryption enabled seems to be failing because of the hook. It works when I disable the hook. Could this be an issue? ``` { "CloudFormationConfiguration": { "HookConfiguration": { "TargetStacks": "ALL", "FailureMode": "FAIL", "Properties": { "minBuckets": "1", "encryptionAlgorithm": "AES256" } } } } ``` ``` { "CloudFormationConfiguration": { "HookConfiguration": { "TargetStacks": "ALL", "FailureMode": "FAIL", "Properties": { "minBuckets": "1", "encryptionAlgorithm": "aws:kms" } } } } ``` [AWSSamples::S3BucketEncrypt::Hook configuration](https://imgur.com/w9NnjEP) [AWSSamples::S3BucketEncrypt::Hook](https://imgur.com/OsETMvV) **CloudFormation for S3 bucket with AES256 encryption** - Expected to Pass ``` AWSTemplateFormatVersion: 2010-09-09 Description: S3 bucket with default encryption Resources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'AES256' DeletionPolicy: Delete ``` **CloudFormation for S3 bucket with KMS encryption** - Expected to Pass ``` AWSTemplateFormatVersion: "2010-09-09" Description: This CloudFormation template provisions an encrypted S3 Bucket Resources: EncryptedS3Bucket: Type: 'AWS::S3::Bucket' Properties: BucketName: !Sub 'encryptedbucket-${AWS::Region}-${AWS::AccountId}' BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: 'aws:kms' KMSMasterKeyID: !Ref EncryptionKey BucketKeyEnabled: true Tags: - Key: "keyname1" Value: "value1" EncryptionKey: Type: AWS::KMS::Key Properties: Description: KMS key used to encrypt the resource type artifacts EnableKeyRotation: true KeyPolicy: Version: "2012-10-17" Statement: - Sid: Enable full access for owning account Effect: Allow Principal: AWS: !Ref "AWS::AccountId" Action: kms:* Resource: "*" Outputs: EncryptedBucketName: Value: !Ref EncryptedS3Bucket ```
1
answers
0
votes
26
views
profile picture
Sri
asked 9 months ago

How to properly use KMS in Step Functions?

I'm working on SAML identification workflows in Step Functions where SAML messages has to be signed and returned Assertion is also encrypted. I will use KMS to store two different asymmetric keys (one for sign/verify and other for encrypt/decrypt) and tried to use for example 'kms:Sign' and 'kms:Decrypt' from SF through SDK integrations meaning task ARNs 'arn:aws:states:::aws-sdk:kms:sign' and 'arn:aws:states:::aws-sdk:kms:decrypt' but can only retrieve binary data in responses, which are not Base64-encoded. That's correct based on documentation: "When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded." Can I somehow always return Base64-encoded response or use binary response in context of SF json payloads? I can't figure out neither. Am I correct that SF can't decode/encode Base64? I also tried proxying through API gateway (which will use HTTP API as I think) but KMS responds always with 400 because CiphertextBlob can't be null. It isn't null, value is properly visible in step "request body payload after transformations" and I also can't figure out what prevents to call KMS through API gateway. If I will use Lambda to decode Base64 from request body, call KMS operation and encode Base64 from response body, all works nicely. Except including that SDK into Lambda code will increase total latency with multiple hundreds milliseconds because cold starts are much slower with SDK imported. Can I somehow avoid those overheads coming from Lambda and use KMS straight from SF or through API gateway?
0
answers
0
votes
43
views
asked 10 months ago