Skip to content

AWS Key Management

Jump to bottom
Risabh Kumar edited this page Jan 31, 2018 · 1 revision

Overview

AWS KMS allows you to control the encryption keys used by your applications and supported AWS services in multiple regions around the world from a single console. Centralised management of all your keys in AWS KMS lets you enforce who can use your keys, when they get rotated, and who can manage them. -AWS KMS

Here's how it works:

  1. Locally generate a random encryption key (referred as data key).
  2. Use the data key to encrypt the data.
  3. Use KMS to encrypt the data key with one of the master keys. This is called key wrapping. The encrypted data key is now a "wrapped key."
  4. Discard the plaintext datakey.

Now we can safely store the encrypted data and the wrapped key. We can even store them next to each other in a database, on our filesystem, etc. because without access to the master key that wraps the data key, the data key is useless. It is an opaque blob.

To decrypt data, we simply:

  1. Fetch the wrapped data key and the encrypted data.
  2. Use KMS to decrypt the wrapped data key.
  3. Use the decrypted data key to decrypt the encrypted data.

"Master Keys" are not used to encrypt data, but are instead used to encrypt keys that encrypt data.

serverless-kms-secrets

serverless-kms-secrets is a plugin for serverless framework used to help manage service secrets using the AWS Key Management Service (KMS)

Usage

  • Encrypting Variables

    We pack multiple secrets into one KMS encrypted string (i.e, SECRETS) which simplifies consuming the secrets in the Lambda function since all secrets can be decrypted with one single KMS.Decrypt call. To encrypt multiple secrets into one single string, use the following notation:

    # make sure to `cd` into `app-backend` folder

sls encrypt -n SECRETS:VARIABLE-NAME-HERE -v [insert-value-here]

    You can pass -k [insert-key-here] but that is optional as the key will be read from the secrets file.

  • Updating Variable data

    To update an already stored variable, run the above command with same variable name and new value.

  • Using variables

    A function is made available for you to decrypt the keys and use them in lambda function. Here's how to use it:

    1. Import getEnvironmentVariables from app-backend/src/utils.ts
    2. Store the decrypted data in a variable, const ENV_VARIABLES = await getEnvironmentVariables();

    Now you can use ENV_VARIABLES.VARIABLE-NAME-HERE to access the data stored in it.

List of the environment variables stored currently (for reference)

  • POSTGRES_DB_NAME
  • POSTGRES_DB_USERNAME
  • POSTGRES_DB_PASSWORD
  • POSTGRES_DB_CONN_STR
  • COGNITO_USERPOOL_ID
  • CORS_ORIGIN
Clone this wiki locally