Does using an AWS KMS-managed customer master key provide end-to-end encryption?

2
votes

Option 1: If we use an AWS KMS-managed customer master key (CMK), does that provide end-to-end encryption?

Option 2: Or, would we have to use a client-side master key, so that only the client can decrypt their data?

2
encryptionamazon-s3
It would be good to get more details about your use case. Yes, it is possible to do that, but by doing it you're not getting the benefits of Envelope Encryption. Also, you're sending your data unencrypted on the wire (apart from TLS).Viccari

2 Answers

1
votes

Update: KMS is not asymmetric, though you can use Envelope Encryption to generate a data key from the CMK. The key is generated on a physical HSM making it not accessible externally. You will only have to worry about the access to the CMK which you can achieve using IAM access control.

For a detailed explanation how the mechanism works, check the Envelope Encryption section on the KMS Cryptographic Details white paper.

So if you only worried about eavesdropping can be a good solution. If you are looking for strictly end-to-end encryption you might have to use asymmetric keys on which KMS can help you with too.

0
votes

Aws kms does not store any data it provide you two keys

1 plain key : with the help of it you encrypt the data and delete it(key)(no need to save anywhere).

2.encrypted data key :- you need to save this key to decrypt the data( to decrypt the data first you got plain key from aws using encrypted data key) and with the help of plain key you decrypt the data.

So encryption is done at client side.