AWS KMS Key
- Note: KMS keys used to be called KMS Customer Master Key this is different than Customer Managed key
- A KMS key can be one of these types:
- Symmetric key (AES-256 keys) ^744050
- You don't have access to the key
- Single encryption key for both encrypt and decrypt
- Assymetric (RSA & ECC key pairs)
- Public (encrypt) and Private (decrypt) pair
- Public key is downloadable, but you don't have access to private key
- Use cases: for outside use that needs public key for encryption
- Public (encrypt) and Private (decrypt) pair
- Symmetric key (AES-256 keys) ^744050
- If you want to access these key, you need AWS KMS Key Policy
Automatic Key Rotation
- AWS-managed KMS key: automatic every 1 year
- Customer-managed KMS key: (auto key rotation must be enabled) ^b360f6
- For created keys, automatic every 1 year
- For imported keys must manual rotate using alias
Note: KMS key is unique per region.
So how to share encrypted EBS between region
- You have to create a snapshot of the encrypted EBS with key A
- Copy that snapshot to another region
- AWS will automatically encrypt it with key B
- AWS will recover the volume using the snapshot with key B