Implementing Envelope Encryption with AWS KMS
Overview
Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting large volumes of data locally while keeping the master key secure in a hardware security module (HSM) managed by AWS. This guide covers implementing envelope encryption using AWS KMS GenerateDataKey API.
Objectives
- Understand the envelope encryption pattern and its advantages
- Generate data encryption keys using AWS KMS GenerateDataKey
- Encrypt/decrypt data locally using DEKs
- Store encrypted DEK alongside ciphertext
- Implement key caching to reduce KMS API calls
- Handle key rotation with automatic re-encryption
- Implement multi-region encryption for disaster recovery
Key Concepts
Envelope Encryption Flow
- Call
kms:GenerateDataKeyto get plaintext DEK + encrypted DEK - Use plaintext DEK to encrypt data locally (AES-256-GCM)
- Store encrypted DEK alongside ciphertext
- Discard plaintext DEK from memory
- For decryption: call
kms:Decrypton encrypted DEK, then decrypt data
Advantages Over Direct KMS Encryption
| Aspect | Direct KMS | Envelope Encryption |
|---|---|---|
| Max data size | 4 KB | Unlimited |
| Latency | Network round-trip per operation | Local encryption |
| Cost | $0.03/10,000 requests | Fewer KMS requests |
| Offline | Not possible | Yes (with cached DEKs) |
KMS Key Types
- AWS Managed: AWS creates and manages (
aws/s3,aws/ebs) - Customer Managed: You create and manage policies
- Custom Key Store: Backed by CloudHSM cluster
Security Considerations
- Never store plaintext DEK; only keep encrypted DEK
- Use key policies to restrict who can call GenerateDataKey and Decrypt
- Enable AWS CloudTrail logging for all KMS API calls
- Implement key rotation (automatic annual rotation for CMKs)
- Use encryption context for authenticated encryption metadata
- Handle KMS throttling with exponential backoff
Validation Criteria
- [ ] GenerateDataKey returns plaintext and encrypted DEK
- [ ] Data encrypts correctly with plaintext DEK using AES-256-GCM
- [ ] Encrypted DEK can be decrypted via KMS Decrypt API
- [ ] Decrypted DEK recovers the original data
- [ ] Plaintext DEK is wiped from memory after use
- [ ] Encryption context is validated during decryption
- [ ] Key rotation re-encrypts DEKs with new master key
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC6.7 (Restriction on Transmission), CC6.1 (Logical Access)
- ISO 27001: A.10.1 (Cryptographic Controls)
- NIST 800-53: SC-12 (Cryptographic Key Management), SC-13 (Cryptographic Protection), SC-8 (Transmission Confidentiality)
- NIST CSF: PR.DS (Data Security)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add implementing-envelope-encryption-with-aws-kms
# Or load dynamically via MCP
grc.load_skill("implementing-envelope-encryption-with-aws-kms")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.