Encryption Context - AWS Key Management Service Best Practices

Encryption Context

In addition to limiting permission to the AWS KMS APIs, AWS KMS also gives you the ability to add an additional layer of authentication for your KMS API calls utilizing encryption context. The encryption context is a key-value pair of additional data that you want associated with AWS KMS-protected information. This is then incorporated into the additional authenticated data (AAD) of the authenticated encryption in AWS KMS-encrypted ciphertexts. If you submit the encryption context value in the encryption operation, you are required to pass it in the corresponding decryption operation. You can use the encryption context inside your policies to enforce tighter controls for your encrypted resources. Because the encryption context is logged in CloudTrail, you can get more insight into the usage of your keys from an audit perspective. Be aware that the encryption context is not encrypted and will be visible within CloudTrail logs. The encryption context should not be considered sensitive information and should not require secrecy.

AWS services that use AWS KMS use encryption context to limit the scope of keys. For example, Amazon EBS sends the volume ID as the encryption context when encrypting/decrypting a volume, and when you take a snapshot the snapshot ID is used as the context. If Amazon EBS did not use this encryption context, an EC2 instance would be able to decrypt any EBS volume under that specific CMK.

An encryption context can also be used for custom applications that you develop, and acts as an additional layer of control by ensuring that decrypt calls will succeed only if the encryption context matches what was passed in the encrypt call. If the encryption context for a specific application does not change, you can include that context within the AWS KMS key policy as a conditional statement. For example, if you have an application that requires the ability to encrypt and decrypt data, you can create a key policy on the CMK that ensures that it provides expected values. In the following policy, it is checking that the application name “ExampleApp” and its current version “1.0.24” are the values that are passed to AWS KMS during the encrypt and decrypt calls. If different values are passed, the call will be denied and the decrypt or encrypt action will not be performed.

{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/RoleForExampleApp" }, "Action": [ "kms:Encrypt", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:AppName": "ExampleApp", "kms:EncryptionContext:Version": "1.0.24" } } }

This use of encryption context will help to further ensure that only authorized parties and/or applications can access and use the CMKs. Now the party will need to have IAM permissions to AWS KMS, a CMK policy that allows them to use the key in the requested fashion, and finally know the expected encryption context values.