Understanding Custom Key Stores in AWS KMS
Jan 25, 2024Introduction
AWS KMS is a robust platform for creating and managing encryption keys used in AWS services and applications. While AWS KMS offers a default key store, certain scenarios demand more specialized solutions, like a custom key store. A custom key store in AWS KMS allows users to manage their cryptographic operations using an external key manager, providing greater control over the key material and cryptographic operations.
Types of Custom Key Stores
AWS KMS supports two types of custom key stores:
1. AWS CloudHSM Key Store:
- A CloudHSM Key Store is backed by an AWS CloudHSM cluster.
- When we create a key in this store, a 256-bit AES symmetric key is generated within the AWS CloudHSM cluster, ensuring the key material never leaves the cluster unencrypted.
- Cryptographic operations using these keys are performed within the HSMs in the cluster, certified at FIPS 140-2 Level 3.
2. External Key Store:
- An external key store allows the use of cryptographic keys that are managed outside of AWS, by an external key management system or service. This could be a hardware security module (HSM) not managed by AWS, a key management service provided by another cloud provider, or any other external key management infrastructure.
- AWS KMS does not directly access or interact with the external key manager or keys. AWS KMS, when configured with an external key store, does not have the ability to see, extract, or manage the cryptographic keys stored in the external system. The keys remain within the external key manager's environment and are not imported into or stored in AWS KMS.
- AWS KMS does not perform cryptographic operations (like encryption and decryption) itself; instead, cryptographic operations are directed to the external key manager by KMS and the external key manager then executes the cryptographic operation using the keys it manages.
- Provides full control over cryptographic keys, including the ability to refuse or halt operations independently from AWS.
Use Cases and Considerations
When to Use a Custom Key Store
- Regulatory Compliance: If our organization is subject to stringent regulations requiring direct control over key material.
- Enhanced Security Requirements: When additional control and security over cryptographic keys and operations are needed beyond what AWS KMS's default key store offers.
Important Points to Remember for Exams
- AWS KMS default key store uses FIPS 140-2 validated HSMs for key generation and storage.
- Custom key stores allow using an external key manager for cryptographic operations.
- AWS CloudHSM key store uses AWS CloudHSM cluster; keys do not leave the cluster unencrypted.
- External key stores enable full control over keys outside AWS, with operations performed by an external manager.
- Unsupported features in custom key stores include asymmetric KMS keys, asymmetric data key pairs, HMAC KMS keys, keys with imported material, automatic key rotation, and multi-region keys.
- Performance and latency might differ in external key stores due to external processing and distance.
Conclusion
Custom key stores in AWS KMS offer enhanced control and security for organizations with specific regulatory, security, or operational needs. Whether we choose an AWS CloudHSM key store or an external key store, understanding the distinctions, capabilities, and limitations of each is crucial. Remember, this additional control comes with greater responsibility for configuration and maintenance, so weigh our options carefully to ensure it aligns with our organizational requirements.
See also
Read about Key Source External and how it is different from custom key store (external) at cloudericks.com/blog/aws-kms-key-source-external-the-byok-solution-for-kms.
Stay connected with news and updates!
Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.
We hate SPAM. We will never sell your information, for any reason.