In the course AWS Certified Security Special, lecture Using Your Own Key Pairs – Windows Users Only, at 07:26 the instructor states that with KMS, you import your Key Material Origin, you are not uploading your public key. What exactly are you uploading then? What is your Key Material Origin?
1 Answers
I haven’t seen that lecture, but when you upload your own KMS CMK origin material, you are uploading an AES-256 key that you generated. KMS, at its core, is using symmetric cryptography so there is no PKI public/private pair. To get the key into AWS securely though, AWS will issue you a public key to encrypt the AES-256 key you generated, so that they (who hold that private key) are the only ones who can decrypt the actual AES-256 key protecting its value during transit. The public/private key pair used for that transaction is essentially irrelevant after import into the KMS service.