AWS re:Invent 2022
New Launch Introducing Aws Kms External Keys Sec336

Title

AWS re:Invent 2022 - [NEW LAUNCH!] Introducing AWS KMS external keys (SEC336)

Summary

  • AWS has launched a new feature called External Key Store (XKS) in KMS, which allows customers to use external encryption keys integrated with KMS.
  • XKS is part of AWS's broader digital sovereignty strategy, which includes customer control over data, data location, encrypt everywhere strategy, and cloud resiliency.
  • The feature is designed for customers who need to store encryption keys outside of AWS due to regulatory or legal requirements.
  • XKS builds upon the existing custom key store feature, allowing KMS to connect to external HSMs or key managers.
  • The feature supports symmetric keys and is integrated with over 100 AWS services, allowing for seamless use of external keys.
  • Customers have granular control over when to use an external key, and the lifecycle management of the key is the customer's responsibility.
  • AWS security has introduced double encryption for data keys to ensure security while allowing customer control over the root of trust.
  • The shared responsibility model shifts, with customers now responsible for the availability, performance, and durability of their external key manager.
  • AWS provides monitoring tools in CloudWatch for customers to monitor the health and performance of their external key manager.
  • The session included a live demo showing the use of an external key with S3 and the impact of blocking/unblocking the key.
  • AWS emphasizes that XKS should be scoped down to workloads with strict regulatory requirements and encourages customers to consider other KMS options first.

Insights

  • XKS is a response to market forces and customer demand for greater control over encryption keys, particularly in regions with strict data sovereignty laws.
  • The feature leverages AWS's experience with Cloud HSM and custom key stores, indicating AWS's iterative approach to feature development.
  • AWS's double encryption approach for XKS keys balances customer control with AWS's security standards, ensuring that data remains secure even as it traverses the public internet.
  • The shift in the shared responsibility model means customers using XKS will need to invest in infrastructure and expertise to manage their external key managers effectively.
  • AWS's decision to exclude XKS from their SLA highlights the importance of customer responsibility for the availability and performance of their external key manager.
  • The session's emphasis on scoping XKS usage to specific regulatory needs suggests that AWS is cautious about customers overextending the use of this feature, potentially at the expense of performance and availability.
  • The live demo provided a practical illustration of how XKS works and the potential impact on AWS services when an external key is unavailable, reinforcing the importance of robust key management practices.
  • AWS's ongoing engagement with key manager vendors and partners indicates a collaborative approach to supporting customers in implementing XKS.
New Launch Introducing Aws Inferentia2 Based Ec2 Inf2 Instances Cmp334New Launch Optimize Your Workforce with Amazon Connect Biz211