Talk: Keys on AWS and Certificates

KMS_Benefit_KeyI had the fortune to listen to Ken Beer and Ryan Treat’s talk on keys and certificates. Here are my notes:



  • Key hierarchy: A technique to improve manageability of a larger number of keys and security by encrypt keys with another set of keys.
    • Envelop encryption: Data keys for applications are encrypted by a set of master keys. This allows applications to encrypt a large amount of data without sending everything to the cloud to encrypt the data, only encrypt the data keys with master keys.
  • client-side encryption: encrypt data before sending to server (or cloud provider)
  • server-side encryption: encrypt data on the server-side (or on the cloud) after received the data
    • It is integrated with 19 AWS services to support server-side encryption
    • Allows administrators to define how the keys can be used (by defining policies)
    • Has logging of key use activities (CloudTrail)
    • Allows bring your own keys
  • $1/Key version/Month
  • $0.03/10,000 API requests
  • AWS CloudHSM
    • $20,000/Year
    • For customers that want further physical security of the server machine. If it breaks, it’s on you. You control access to your keys and the app that use them.
    • Introduced 2 years ago
  • In China, customers should use client-side encryption
  • For database, data are encrypted before written to disk, with a single key. For table or row level encryption, AWS not yet handle these use cases. Use DB specific features by the DB vendors.
  • When rotate keys, AWS keeps all older versions of keys. This allows you to not re-encrypt everything, which costs money.
  • Delete key API requires at least 7 days waiting period.
  • AWS does not store data key. For non-S3 uses, if you loose data key, you also loose the data. For S3, the key is stored in the metadata.


  • Certificates are used for trust, not security
  • The trend is to use shorter validity period to reduce risks.
  • Obtaining a signed CA can take 4.5 hours.
  • Wildcard certificates: high risk as it can open to attacks to all servers on your domain if one of the servers is compromised.
  • With micro services design approach, it increases the need to secure more connections.
  • With more frequent deployments (DevOps), certificate valid period can be shorter
  • Amazon Certificate Manager (Free) provides domain validation

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s