chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

In today’s update, we are thrilled to announce the introduction of on-demand key rotation for symmetric encryption keys in AWS Key Management Service (AWS KMS) that utilize imported key material (designated as EXTERNAL origin). This exciting new feature allows you to rotate the cryptographic key material without altering the key identifier (key ID or Amazon Resource Name (ARN)). Regularly rotating keys is crucial for compliance and aligning with security best practices that require periodic updates.

Historically, AWS KMS has offered automatic key rotation for keys generated by AWS KMS (origin: AWS_KMS). However, users who imported their key material faced challenges, as they were unable to rotate that material without creating a new KMS key. This manual rotation process necessitated updates to references tied to older key identifiers. With this launch, the key ID for imported keys remains constant after rotation, ensuring that existing workloads continue to function smoothly. In this article, we will explore how this new feature operates, examine key material expiration and deletion attributes specific to imported keys, and review associated pricing.

How It Works

When you create an AWS KMS key with an EXTERNAL origin, KMS assigns a fixed identifier known as the key ID. Notably, AWS KMS does not generate the key material for cryptographic operations; you must import your own key material using the ImportKeyMaterial operation.

Upon importing key material, AWS KMS generates a unique key material identifier based on both the key ID and the key material. Even if the same key material is imported into different keys, AWS KMS will assign distinct identifiers. This process utilizes a cryptographic hash, ensuring that the key material identifier does not disclose any information about the key material itself. AWS KMS embeds this identifier within the ciphertext blob produced during symmetric encryption.

Previously, once key material was imported into an AWS KMS key, it was impossible to import additional key material for rotation. The introduction of this feature allows you to associate multiple imported key materials with a single symmetric encryption key. You can utilize the RotateKeyOnDemand operation to designate the most recently imported key material as the current key material. AWS KMS will then use this material for generating new ciphertext. Unless they are deleted or expired, other key materials will remain accessible for decryption. When ciphertext is presented for decryption, AWS KMS automatically determines the appropriate key material based on the identifier embedded in the ciphertext.

To enhance the auditability of key rotations, we have introduced new identifiers in KMS API responses to specify which key material was utilized. The KeyMaterialId is now included in responses from AWS KMS, alongside the KeyId. Additionally, the DescribeKey response for these keys now shows the identifier of the current key material as CurrentKeyMaterialId. This transparency in key rotation is crucial for maintaining security.

Summary of Key Rotation Process

  1. Create a symmetric encryption KMS key with EXTERNAL origin.
  2. Import key material into the key using GetParametersForImport and ImportKeyMaterial APIs. The initial key material becomes immediately usable, preserving backward compatibility.
  3. Utilize the key to create ciphertext and decrypt it, noting that the key material ID corresponds with the CurrentKeyMaterialId shown in the DescribeKey response.
  4. To rotate the key, import a second key material. The ImportKeyMaterial API now includes a new ImportType parameter that allows you to specify whether you are adding new key material (--import-type NEW_KEY_MATERIAL) or re-importing existing key material (--import-type EXISTING_KEY_MATERIAL).
  5. Use ListKeyRotations with --include-key-material ALL_KEY_MATERIAL to view both key materials. The state of the second key material will be PENDING_ROTATION.
  6. Initiate the on-demand rotation with the RotateKeyOnDemand operation.
  7. Optionally, employ GetKeyRotationStatus to track the rotation progress. The response will include OnDemandRotationStartDate only while the rotation is underway.
  8. After the rotation is complete, use ListKeyRotations with --include-key-material ALL_KEY_MATERIAL to review the key materials associated with this key. The state of the newly imported key material will transition from PENDING_ROTATION to CURRENT, while the original key material will move from CURRENT to NON_CURRENT.
  9. Create ciphertext and decrypt it with the key. You will observe that the CurrentKeyMaterialId is used for encryption, while AWS KMS automatically determines the appropriate key material for decryption.

AWS CLI Example for Rotating an Imported Key

Here is a sample sequence of AWS KMS commands to implement the key rotation functionality using the AWS Command Line Interface (CLI). These commands are designed for Linux or MacOS environments and may need to be adjusted for Windows. This feature can also be accessed through the AWS SDKs and is available in the AWS Management Console.

Step 1: Create a Key and Import Key Material

This step should be familiar to those who have previously utilized the existing import key functionality in AWS KMS.

  • Create a symmetric encryption key with an EXTERNAL origin and capture the key ARN. The initial state of this key is PendingImport.
export EXTERNAL_KEY1_ARN=$(aws kms create-key --origin EXTERNAL | tee /dev/stderr | jq -r .KeyMetadata.Arn)
  • Generate a 256-bit (32-byte) key material for import. OpenSSL can be used to create the key material.
openssl rand 32 > "KeyMaterial1.bin"
  • Use the get-parameters-for-import command to generate the wrapping key and import token, saving them to files. AWS KMS supports numerous wrapping algorithms, and we will use RSAES_OAEP_SHA_256 with a 4096-bit RSA key here.
export WRAPPING_ALGORITHM="RSAES_OAEP_SHA_256"
export WRAPPING_KEY_SPEC="RSA_4096"
export KMS_PARAMETERS_FOR_IMPORTED_KEY_MATERIAL1=$(aws kms get-parameters-for-import 
    --key-id "${EXTERNAL_KEY1_ARN}" 
    --wrapping-algorithm "${WRAPPING_ALGORITHM}" 
    --wrapping-key-spec "${WRAPPING_KEY_SPEC}" | tee /dev/stderr)

For further insights on making a difference in your career, check out this blog post. If you’re interested in understanding the federal jurisdiction of alleged disparate discipline, you can find valuable information here. Lastly, for a visual explanation of these processes, this YouTube video is an excellent resource.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *