StackZone Feature: Key Management Service
KMS Customer Managed Key's (CMK's) by StackZone
Ryan Ware
Last Update há 8 meses
StackZone will create a variety of AWS KMS Keys for you to use in each AWS Account within your AWS Organization. There are separate keys to use with different services such as EBS Volume Encryption, CloudWatch Logs Encryption and Backup Encryption which encrypts AMI's and snapshots. Each of these KMS Keys are created in every activated AWS Region with an appropriate policy already attached.
AWS Key Management Service (KMS)
AWS Key Management Service (KMS) gives you centralized control over the cryptographic keys used to protect your data. The service is integrated with other AWS services making it easy to encrypt data you store in these services and control access to the keys that decrypt it.
AWS KMS provides you with centralized control over the lifecycle and permissions of your keys. You can create new keys whenever you wish, and you can control who can manage keys separately from who can use them.
AWS KMS integrates with AWS services to encrypt data at rest, or to facilitate signing and verification using an AWS KMS key. To protect data at rest, integrated AWS services use envelope encryption, where a data key is used to encrypt data, and is itself encrypted under a KMS key stored in AWS KMS. For signing and verification, integrated AWS services use a key pair from an asymmetric KMS key in AWS KMS.
For additional and more in-depth information on AWS KMS, head on over to their official documentation here
StackZone Key Management Service (KMS)
The StackZone Key Management Service (KMS) feature is an advanced feature and part of the baseline services and will create specific, separate Customer Managed Keys (CMKs) within your AWS Key Management Store (KMS). These Keys are to be used when encrypting specific services, which StackZone uses as part of it's core functionality.
StackZone will create a lot of SNS Topics which are used to send information between services and between accounts. To do this in line with best practices, we want to ensure that they are encrypted with a CMK. We use a CMK rather than the AWS default key as we can control the Key Policy in a more granular fashion.
We have the same process for CloudWatch logs, which logs out a lot of internal StackZone Lambda functions, Codebuild logs, Code Pipeline logs, etc, so encrypting these is in line with best practices also.
Because AWS Services such as SNS, EBS and CloudWatch Logs are region-specific, we will need to encrypt them per region. This is done by creating a specific key per use per region. If we want to encrypt our eu-west-2 Logs, we need to use a Key located in eu-west-2. Similarly, if we want to encrypt our SNS topics in us-east-1 - we cannot use the ue-west-1 SNS encryption key - we need to use our us-east-1 SNS encryption key.
To help manage this, for each account StackZone is managing and for each enabled region, StackZone will create for you;
- KMS key specifically for SNS Topic Encryption
- KMS key specifically for EBS Volume Encryption
- KMS key specifically for CloudWatch Logs Encryption
If you have 5 AWS Accounts and 2 enabled regions, this will mean you have 30 unique CMK's
StackZone can also create additional keys for other services, such as CloudTrail and AWS Backup, but these keys are not created until the other services are enabled via StackZone.
How Does StackZone then use these KMS Keys?
StackZone will always try and use it's own encryption key when creating and modifying resources it creates in your account.
For example, in other optional StackZone features, such as Savings Plans Notifications, we create an SNS Topic for you in your account. This SNS Topic gets encrypted with your regional CMK for SNS encryption, ensuring that this resource is compliant with AWS best practices.
StackZone will also try and use your CMK's when it comes to Config Rule Remediations also. For example let's take a look at the following Config Rule: CloudWatch Log Group Encrypted
Description: Checks if a log group in Amazon CloudWatch Logs is encrypted with a AWS Key Management Service (KMS) managed Customer Master Keys (CMK). The rule is NON_COMPLIANT if no AWS KMS CMK is configured on the log groups.
What is interesting here, is the Remediation part of this AWS Config Rule. If you have automatic remediation enabled, the remediation will use your regional CMK for Logs Encryption to ensure your CloudWatch Log Groups are encrypted with the StackZone Logs KMS Key.
We also give users the option to disable the AWS Yearly managed rotation process if you so desire from the Key Management Service screen in the StackZone Console. By default this is enabled in line with AWS' best practices but you can disable this for different keys if you wish.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here