Use envelope encryption with AWS KMS keys - Financial Services Industry Lens

Use envelope encryption with AWS KMS keys

FSISEC15: How are you managing your encryption keys?

AWS KMS solution uses an envelope encryption strategy with AWS KMS keys. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. Use KMS keys to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data. KMS keys are created in AWS KMS and never leave AWS KMS unencrypted.

AWS KMS supports three types of KMS keys: Customer-managed keys, AWS managed keys, and AWS owned keys (for more information see here - AWS KMS keys in the AWS KMS Developer Guide). For many FSI customers, Customer-managed KMS keys will be the preferred option because it allows for control of the permissions to use keys from any of their applications or AWS services. Customer-managed KMS keys also provide added flexibility for key generation and storage. In addition, every use of a KMS key or modification to its policy is logged to AWS CloudTrail for auditing purposes.

Rotate encryption keys

Cryptographic best practices discourage extensive reuse of encryption keys. Security best practice is to enable automatic key rotation for an existing key. When you enable automatic key rotation for a customer-managed key, AWS KMS generates new cryptographic material for the key every year. AWS KMS also saves the keys older cryptographic material so it can be used to decrypt data that it encrypted.

Automatic key rotation has no effect on the data already encrypted with a key. It will neither change existing KMS data keys nor re-encrypt any data protected by the key, and it will not mitigate the effect of a compromised data key. In this case, data will have to be re-encrypted with the new data key.

Monitor encryption logs

Monitoring the logs of encryption key usage and administration activities is a critical feature in the financial services industry. AWS KMS also works with AWS CloudTrail to provide encryption key usage logs to help meet your auditing, regulatory, and compliance needs.

Monitor key deletes

Key destruction can only be performed by the key administrators. Ensure that all destruction requests are reviewed within the safety window – (a key cannot be destroyed immediately. It is disabled which prevents use and is deleted at the expiry of the window).