Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to manage Asymmetric (Public/Private) Keys in AWS

Tags:

amazon-web-services

amazon-ec2

public-key-encryption

aws-lambda

aws-kms

I need to develop a solution to store both symmetric and asymmetric keys securely in AWS. These keys will be used by applications that are running on EC2s and Lambdas. The applications will need to be set up with policies that will allow the application or lambda to pull the keys out of the key store. The key store should also manage the key expiry, notifying various people when keys are going to expire. The initial key exchange is between my company and its partners meaning that we may have either a public or private key for a key pair depending upon the data transfer direction.

We have looked at KMS but from what I have seen KMS does not support asymmetric keys. I have also seen online that some people are using either S3 (protected by KMS) or parameter store to store the keys but this does not address the issue of key management.

Do you guys have any thoughts on this? or even SaaS/PaaS suggestions?

like image 508
Joshy Avatar asked May 24 '17 01:05

Joshy

People also ask

Does AWS use asymmetric keys?

AWS Key Management Service (KMS) now enables you to create and use asymmetric customer master keys (CMKs) and data key pairs. With this feature, you can perform digital signing operations using RSA and Elliptic Curve (ECC) keys.

Does AWS rotate encryption keys?

AWS KMS automatically rotates AWS managed keys every year (approximately 365 days). You cannot enable or disable key rotation for AWS managed keys. In May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days).

What keys do you need to perform an asymmetric cryptography?

Asymmetric encryption uses a mathematically related pair of keys for encryption and decryption: a public key and a private key. If the public key is used for encryption, then the related private key is used for decryption. If the private key is used for encryption, then the related public key is used for decryption.

1 Answers

My recommendation would be to use AWS Secrets Manager for this. Secrets Manager allows you to store any type of credential/key, you can set up fine-grained cross account permissions to secrets, encryption at rest is used (via KMS), and secrets can be automatically rotated (by providing an expiration time and an AWS Lambda function owned by you to perform the rotation).

More details on the official docs:

  • Basic tutorial on how to use AWS Secrets Manager
  • Encryption at rest on Secrets Manager
  • Secrets rotation
  • Managing secrets policies
like image 63
Viccari Avatar answered Oct 05 '22 02:10

Viccari
Sign in to Comment

Related questions

Can I persist SNS (or SQS) messages to S3 through given AWS integrations?
Prometheus metrics scraping of docker tasks in ECS
AWS API Gateway remove response headers
How do I configure AWS application load balancers to go beyond the 25 SSL certificate limit
Elastic Beanstalk - Command failed on instance.An unexpected error has occurred [ErrorCode: 0000000001]
Should I host Website and REST API on the same server or split?
Rate exceeded in throttling is thrown on DescribeJobFlows
aws transcoder overwrite files on s3
CloudFormation : Template RDS Mysql to Create DB, Tables, User, or Load Schema
How to solve AWS ELB/EC2 HTTP 503 with timeout settings?
Spring Boot and Amazon AWS - how to connect to S3 using Spring Cloud AWS?
How do I make AWS CodeDeploy to use AWS CodeCommit as a Git repo?
Elastic Beanstalk Http Redirect to Https
Set MySQL server variable collation_connection to utf8_unicode_ci on AWS RDS
Can I have multiple websites in one AWS Elastic Beanstalk Application?
PySpark s3 Access with Multiple AWS Credential Profiles?
Unable to install pandas on AWS Lambda
Amazon Simple Product API error when looking up product
AWS SES - incoming email saving attachment to S3
Elastic Beanstalk Node.Js needs PM2 or Forever

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!