DEKs (Data encryption keys AWS)
1)DEKs: stands for Data encryption keys in AWS.
2)KMS(Key management service ) does not store DEKs in any case.
3)Used for data size > 4KB
4)KMS is regional service.
How does DEKs gets generated and used??
KMS generates 2 key version of DEKs mentioned below:
a)Plain text key : This key is used to encrypt data and once data is encrypted .It is discarded immediately.
b)Cipher Text Key : This key is ciphertext of key (a) and used later when data need to be decrypted.
Summary::
Encryption process: DEKs generates 2 keys and one is plain text and second one is encrypted key . Plain text is used to encrypt data and once data is encrypted , plain key is discarded. Now when data need decryption we require plain key for decryption. So this plain key we can ask KMS to return by passing encrypted key and once we have plain text key we can do decryption directly.
S3 uses
CMK at isolated at region level and never leave. Means CMK is not global nor alias are global. We can similar alias in different region but they can point to different stuff.
There are two types of keys
a)AWS managed :: Less flexible. Compulsory key rotation.
b)Customer Managed keys:: More flexible. More policy. Rotation is optional.
CMK has key policy which is resource policy.
