HMAC in the Cloud
A MAC (Message Authentication Code) is used to sign a message with a shared key. This differs from public key signing which uses a private key to sign and a public key to verify. In the following figure, Bob has a message and creates an HMAC-SHA-256 message authentication code using a shared secret symmetric key. When Alice receives the message, she also generates an HMAC-SHA-256 message authentication code using the same key. If it is the same one that Bob sent, she knows that the message has not been changed and that Bob sent it:
KMS (Key Management Store)
In the AWS cloud, we use the KMS (Key Management Store) to create our keys (Figure 1), and which can then be used to encrypt/decrypt data, sign/verify signatures, export data keys, and generate/verify MACs (Message Authentication Codes).
Overall you have keys that are AWS managed (such as for the Lambda service), Customer managed keys (these are created and managed by the customer), and Custom key stores (these are key stores where the customer has complete…
