AWS KMS Service: Ensuring Ownership with Custom Key Material

Using Custom Key Material for Ownership Verification

Question

A company is planning to use the AWS KMS service for encryption and decryption of its underlying data.

The company needs to ensure that they use their own key material to prove ownership. Which of the following steps must be done in order to fulfill this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources, but this would not provide key controls access to operations based on the value of the Origin property of the CMK that is created by or used in the operation.

Option B is CORRECT because you can use this condition key to control access to the CreateKey operation based on the value of the Origin parameter in the request.

Valid values for Origin are AWS_KMS, AWS_CLOUDHSM, and EXTERNAL.

Option C is incorrect because disabling the key would not help with the key ownership definition and find its Origin if they belong to AWS_KMS, AWS_CLOUDHSM, and EXTERNAL.

Option D is incorrect because KMS key rotation provides a Cryptographic best practice of discouraging extensive reuse of encryption keys, but this would not help with the key ownership definition and find its Origin if they belong to AWS_KMS, AWS_CLOUDHSM, and EXTERNAL.

Reference:

https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-key-origin

To fulfill the requirement of using their own key material to prove ownership, the company must ensure that their own key material is used for encryption and decryption, rather than relying on the key material provided by AWS. This can be achieved by taking the following steps:

B. Use kms:KeyOrigin condition key in key policy:

The company should use the kms:KeyOrigin condition key in the key policy of their KMS customer master keys (CMKs). This condition key allows the company to control the source of the key material used to create the CMK. By setting this condition key to "AWS_KMS", the company can restrict the use of the CMK to key material that is generated by KMS, which is the default value. However, by setting this condition key to "EXTERNAL", the company can restrict the use of the CMK to key material that they have imported into KMS, which is the option needed to use their own key material.

When the key policy has been updated with the "EXTERNAL" value, the company can then use their own key material to create the CMK. This can be done by either importing the key material into KMS using the AWS Management Console, AWS CLI or AWS SDKs, or generating the key material outside of KMS and then importing it.

C. Consider disabling the keys being used:

If the company has previously used AWS-generated key material to create CMKs, they should consider disabling those keys and creating new CMKs that use their own key material. This ensures that the company is not inadvertently using AWS-generated key material to encrypt and decrypt data.

D. Consider rotating the keys being used:

The company should consider rotating the keys being used on a regular basis, in order to improve the security of their encryption and decryption processes. This can be done by creating new CMKs that use their own key material, and then updating the applications and systems that use the old CMKs to use the new CMKs instead.

A. Use AWS Config to see where all the keys have been used:

While AWS Config can be useful for tracking and auditing the use of AWS resources, it is not directly related to fulfilling the requirement of using their own key material to prove ownership. However, it can be used to see where the keys have been used, which can be helpful in identifying applications and systems that need to be updated to use the new CMKs.

In summary, to fulfill the requirement of using their own key material to prove ownership when using AWS KMS for encryption and decryption, the company should use the kms:KeyOrigin condition key in the key policy of their CMKs to restrict the use of the keys to their own key material, consider disabling old keys and rotating the keys on a regular basis. AWS Config can also be used to identify applications and systems that need to be updated to use the new CMKs.