I'm writing a serverless function on AWS Lambda.
On certain instances I need to use kms:GenerateDataKey*
permissions.
What exactly is the purpose of this. I checked the AWS documentation but it is too cryptic. Can someone give a practical example of where this is used?
Consider using a customer managed key if: You want to create, rotate, disable, or define access controls for the key. You want to grant cross-account access to your S3 objects. You can configure the policy of a customer managed key to allow access from another account.
A Key Management Service (KMS) is used to create and manage cryptographic keys and control their usage across various platforms and applications. If you are an AWS user, you must have heard of or used its managed Key Management Service called AWS KMS.
Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. Use KMS keys to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data. KMS keys are created in AWS KMS and never leave AWS KMS unencrypted.
Customer master keys are logical representations of a master key. They are the primary resources in AWS KMS. The CMK contains the key material used to encrypt and decrypt data. It also contains metadata such as the key ID, creation date, description, and key state.
A Lambda function that requires kms:GenerateDataKey permission is most likely encrypting large amounts of data using a symmetric data key.
kms:GenerateDataKey
is used to implement envelope encryption, which is the process of encrypting a key with another key. Symmetric key algorithms are faster and produce smaller ciphertexts than public key algorithms, whereas public key algorithms provide inherent separation of roles and easier key management. Envelope encryption combines the strengths of each strategy.
Envelope Encryption in AWS
Create a Customer Master Key in KMS. Even though a CMK can be used to encrypt data up to 4K in size, it is primarily used to encrypt/decrypt data encryption keys.
Generate a Data Encryption Key - Used to encrypt data by using symmetric encryption algorithms.
Encrypt the data key by using the CMK.
Store encrypted data and encrypted data key together.
When a user calls kms:GenerateDataKey
, KMS generates a data key, encrypts it with the CMK and finally returns plaintext and encrypted data key pair back (steps 2 & 3 above).
The user is responsible for managing these keys. Plaintext data key is usually discarded immediately after encrypting data, whereas encrypted data key is stored together with encrypted data. Data encryption key must be decrypted by using kms:decrypt
before decrypting data.
I'm not familiar with permission itself, but I found this in the documentation:
From Using Key Policies in AWS KMS - AWS Key Management Service:
kms:GenerateDataKey*
– Allows key users to successfully request data encryption keys (data keys) to use for client-side encryption. Key users can choose to receive two copies of the data key—one in plaintext form and one that is encrypted with this CMK—or to receive only the encrypted form of the data key.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With