06/14/2022 18:37 | Category: aws

Tags: developer_associatecertificationkms

aws kms api calls

API calls are used from within services like EC2 to set up KMS with a running service.

Examples include setting up encrypt/decrypt, actually encrypting/decrypting data (files), and re-encrypting decrypted data.

These are performed with the AWS CLI or AWS SDK and have support for automatically rotating KMS keys annually.

Exam tips (API calls)

  • aws kms encrypt - encrypts plaintext into ciphertext using a CMK
  • aws kms decrypt - decrypts ciphertext that was encrypted by an AWS KMS CMK
  • aws kms re-encrypt - decrypts ciphertext and then re-encrypts it entirely within

AWS KMS (like when you change a CMK or manually rotate the CMK)

  • aws kms enable-key-rotation - Enables automatic key rotation every 365 days
  • aws kms generate-data-key - Uses the CMK to generate a data key to encrypt data >4KB