Below is a summarized and organized format of the key points discussed in the transcript related to AWS Key Management Service (KMS) as it pertains to the CISSP exam. The summary aims to simplify complex technical terms and enhance understanding while maintaining accuracy and insight.
Changing Encryption Key for EBS Volume
- To change the encryption key of an EBS volume:
- Create an EBS snapshot.
- Create a new EBS volume from the snapshot and specify a new KMS key.
- This process allows for the decryption and re-encryption with a new Customer Master Key (CMK).
Sharing Encrypted KMS Snapshots Across Accounts
- To share encrypted snapshots (e.g., RDS DB snapshot) across accounts:
- Share the snapshot with target accounts.
- Create a key policy on the CMK to allow the target accounts to perform encrypt/decrypt operations.
- This enables the creation of a DB instance from the encrypted snapshot in other accounts.
KMS Key Deletions
- Scheduling a CMK for deletion involves:
- A waiting period between 7 to 30 days, during which the deletion can be canceled.
- The CMK enters a "pending deletion" state and cannot be used for cryptographic operations.
- If a key is scheduled for rotation, it will not occur during the pending deletion period.
- Cancelling key deletion is possible if the CMK is still needed.
- Run the
DeleteSecret API call with the ForceDeleteWithoutRecovery parameter to delete the secret permanently. If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI. Secrets deleted using the ForceDeleteWithoutRecovery parameter can't be recovered or restored.
Automation and Monitoring
- To monitor the use of a CMK scheduled for deletion:
- Set up CloudTrail to log API calls related to the CMK.
- CloudTrail logs are sent to CloudWatch Logs.
- Implement a metric filter in CloudWatch Logs to detect "pending deletion" status.
- Configure a CloudWatch alarm to trigger alerts (e.g., SMS, email) if the CMK is attempted to be used.
This automation ensures that if a CMK is still being used, the responsible parties are alerted, allowing for appropriate action to be taken before the key is permanently deleted.