This content is part of the Essential Guide: An admin's guide to AWS data management

Put cloud data on lockdown with AWS key management

The AWS Key Management Service protects encrypted data from unauthorized access and takes aim at the third-party key management market.

Much of the IT industry is moving toward encryption as a standard practice for moving and storing key data. But nothing is ever that easy. Successful encryption practices depend on having an appropriate way to manage the encryption key.

What's at stake is, of course, security itself -- making sure unauthorized individuals don't gain access to data. And, in the world of AWS, encryption control is being made available to users through the AWS Key Management Service (KMS). AWS KMS is a specific implementation of a standard type of infrastructure needed to support good encryption practices.

"Handling encryption keys is always a major issue," said Ali Hussain, CTO and co-founder of Flux7 Labs, an IT consultancy based in Austin, Texas. Access to keys needs to be restricted and separated from the rest of the deployment. "The biggest problem is the inevitable chicken and egg [scenario] -- you cannot download the key before you are authenticated, but you need the key to authenticate in the absence of some other mechanism," Hussain said.

For the most part, he said, AWS Key Management Service is fairly self-contained within Amazon's provided tools. KMS lets customers use AWS Identity and Access Management, which an experienced AWS user is likely already using to manage encryption keys. "[Flux7 is] actively using KMS to manage SSH keys, encrypting config files with secrets and passwords, and encrypting data at rest for compliance," he added.

Most people seem to think as long as data is encrypted, everything is safe, noted Robert McCarthy, director of security engineering for Mobiquity, an IT consulting firm based in Boston that's focused on mobility. In fact, the encryption key often is left where it isn't safe, potentially presenting an opportunity to access the data.

"It is like locking a house; leaving the key under the doormat is not like taking the key with you," McCarthy explained. And that is, in fact, why so many data breaches occur, he added. Many times an insider has unauthorized key access. In other cases, breaches occur because someone on the outside has been able to "unwrap" some JavaScript elements and find the file containing the key.

You can still screw up on the management side of things by not following the process appropriately; they give you just enough rope to hang yourself.
Robert McCarthydirector of security engineering for Mobiquity

Key management infrastructure provides a set of tools or a methodology to not only encrypt but to manage the encryption key, securing it safely and distributing it to the appropriate people -- and it can even audit who owns and uses that key. AWS key management also needs to support revocation at the appropriate time. "If someone moves on to another job you need to destroy those keys and start from scratch," McCarthy noted.

"AWS Key Management Service is Amazon's implementation of the idea of key management, and it is really a huge benefit to users," McCarthy said. For example, one of the key requirements for regulated industries is being able to show that the appropriate person has control of the encryption key management infrastructure. "Prior to KMS that wasn't very feasible," he added. "Previously, Amazon simply controlled the encryption keys and they had to manage them."

In short, the KMS option gives AWS users that control.

Amazon has done a good job crafting KMS and provides "great" documentation, McCarthy said, but administrators still must pay attention.

"The fact is you can still screw up on the management side of things by not following the process appropriately; they give you just enough rope to hang yourself," McCarthy said.

When it comes to distributing and revoking keys, for example, AWS doesn't exactly tell you what to do or how to do it. If you don't understand key management infrastructure in general, "you can make things worse, so it is good to have someone with a working knowledge of practices to implement KMS," McCarthy said.

Decline of third-party tools

In general, the advent of AWS Key Management Service has reduced or eliminated the role for third-party key management tools. AWS started with a comparatively rudimentary offering of compute and storage in the cloud, McCarthy noted. Over recent years, it has gradually implemented higher-order services. But, at the same time, an ecosystem of third-party offerings also evolved to fill the gaps.

Now, as AWS adds features such as KMS, "Amazon is taking back that space," McCarthy said. "Specifically, prior to KMS there was a third-party ecosystem for managing encryption in the cloud."

"KMS is still somewhat in its infancy and there are opportunities for growth in terms of the types of encryption AWS provides and opportunities for better integration with mobile," McCarthy said. In addition, available tools for managing and monitoring AWS encryption generally apply only to AWS; they won't necessarily work for third-party databases. But, given the trend, that too may be addressed before long.

Next Steps

Manage AWS access with encryption keys

AWS access control depends on IT staff

AWS KMS bolsters security

Dig Deeper on AWS security