|
I’m excited to announce the provision of AWS Key Management Service (AWS KMS) External Key Store. Customers who’ve a regulatory must retailer and use their encryption keys on premises or exterior of the AWS Cloud can now achieve this. This new functionality lets you retailer AWS KMS buyer managed keys on a {hardware} safety module (HSM) that you just function on premises or at any location of your alternative.
At a excessive degree, AWS KMS forwards API calls to securely talk together with your HSM. Your key materials by no means leaves your HSM. This answer lets you encrypt knowledge with exterior keys for the overwhelming majority of AWS companies that assist AWS KMS buyer managed keys, akin to Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 extra companies. There isn’t any change required to your current AWS companies’ configuration parameters or code.
This helps you unblock use circumstances for a small portion of regulated workloads the place encryption keys must be saved and used exterior of an AWS knowledge heart. But this can be a main change in the best way you use cloud-based infrastructure and a big shift within the shared duty mannequin. We count on solely a small proportion of our prospects to allow this functionality. The further operational burden and higher dangers to availability, efficiency, and low latency operations on protected knowledge will exceed—for many circumstances—the perceived safety advantages from AWS KMS External Key Store.
Let me dive into the small print.
A Brief Recap on Key Management and Encryption
When an AWS service is configured to encrypt knowledge at relaxation, the service requests a singular encryption key from AWS KMS. We name this the info encryption key. To defend knowledge encryption keys, the service additionally requests that AWS KMS encrypts that key with a selected KMS buyer managed key, also referred to as a root key. Once encrypted, knowledge keys may be safely saved alongside the info they defend. This sample is known as envelope encryption. Imagine an envelope that accommodates each the encrypted knowledge and the encrypted key that was used to encrypt these knowledge.
But how will we defend the basis key? Protecting the basis key’s important because it permits the decryption of all knowledge keys it encrypted.
The root key materials is securely generated and saved in a {hardware} safety module, a chunk of {hardware} designed to retailer secrets and techniques. It is tamper-resistant and designed in order that the important thing materials by no means leaves the secured {hardware} in plain textual content. AWS KMS makes use of HSMs which might be licensed below the NIST 140-2 Cryptographic Module certification program.
You can select to create root keys tied to knowledge classification, or create distinctive root keys to guard totally different AWS companies, or by venture tag, or related to every knowledge proprietor, and every root key’s distinctive to every AWS Region.
AWS KMS calls the basis keys buyer managed keys if you create and handle the keys your self. They are referred to as AWS managed keys when they’re created on behalf of an AWS service that encrypts knowledge, akin to Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (RDS), or Amazon DynamoDB. For simplicity, let’s name them KMS keys. These are the basis keys, those that by no means depart the secured HSM surroundings. All KMS encryption and decryption operations occur within the secured surroundings of the HSM.
The XKS Proxy Solution
When configuring AWS KMS External Key Store (XKS), you might be changing the KMS key hierarchy with a brand new, exterior root of belief. The root keys are actually all generated and saved inside an HSM you present and function. When AWS KMS must encrypt or decrypt an information key, it forwards the request to your vendor-specific HSM.
All AWS KMS interactions with the exterior HSM are mediated by an exterior key retailer proxy (XKS proxy), a proxy that you just present, and also you handle. The proxy interprets generic AWS KMS requests right into a format that the vendor-specific HSMs can perceive.
The HSMs that XKS communicates with usually are not situated in AWS knowledge facilities.
To present prospects with a broad vary of exterior key supervisor choices, AWS KMS developed the XKS specification with suggestions from a number of HSM, key administration, and integration service suppliers, together with Atos, Entrust, Fortanix, HashiCorp, Salesforce, Thales, and T-Systems. For details about availability, pricing, and use XKS with options from these distributors, seek the advice of the seller instantly.
In addition, we’ll present a reference implementation of an XKS proxy that can be utilized with SoftHSM or any HSM that helps a PKCS #11 interface. This reference implementation XKS proxy may be run as a container, is in-built Rust, and might be out there by way of GitHub within the coming weeks.
Once you’ve gotten accomplished the setup of your XKS proxy and HSM, you may create a corresponding exterior key retailer useful resource in KMS. You create keys in your HSM and map these keys to the exterior key retailer useful resource in KMS. Then you need to use these keys with AWS companies that assist buyer keys or your individual purposes to encrypt your knowledge.
Each request from AWS KMS to the XKS proxy consists of meta-data such because the AWS principal that referred to as the KMS API and the KMS key ARN. This lets you create an extra layer of authorization controls on the XKS proxy degree, past these already offered by IAM insurance policies in your AWS accounts.
The XKS proxy is successfully a kill swap you management. When you flip off the XKS proxy, all new encrypt and decrypt operations utilizing XKS keys will stop to perform. AWS companies which have already provisioned an information key into reminiscence for one among your sources will proceed to work till both you deactivate the useful resource or the service key cache expires. For instance, Amazon S3 caches knowledge keys for a couple of minutes when bucket keys are enabled.
The Shift in Shared Responsibility
Under customary cloud working procedures, AWS is answerable for sustaining the cloud infrastructure in operational situation. This consists of, however just isn’t restricted to, patching the programs, monitoring the community, designing programs for prime availability, and extra.
When you choose to make use of XKS, there’s a basic shift within the shared duty mannequin. Under this mannequin, you might be answerable for sustaining the XKS proxy and your HSM in operational situation. Not solely have they got to be secured and extremely out there, but in addition sized to maintain the anticipated variety of AWS KMS requests. This applies to all parts concerned: the bodily amenities, the facility provides, the cooling system, the community, the server, the working system, and extra.
Depending in your workload, AWS KMS operations could also be important to working companies that require encryption on your knowledge at relaxation within the cloud. Typical companies counting on AWS KMS for regular operation embrace Amazon Elastic Block Store (Amazon EBS), Lambda, Amazon S3, Amazon RDS, DynamoDB, and extra. In different phrases, it implies that when the a part of the infrastructure below your duty just isn’t out there or has excessive latencies (sometimes over 250 ms), AWS KMS will be unable to function, cascading the failure to requests that you just make to different AWS companies. You will be unable to start out an EC2 occasion, invoke a Lambda perform, retailer or retrieve objects from S3, hook up with your RDS or DynamoDB databases, or another service that depends on AWS KMS XKS keys saved within the infrastructure you handle.
As one of many product managers concerned in XKS advised me whereas getting ready this weblog put up, “you are running your own tunnel to oxygen through a very fragile path.”
We advocate solely utilizing this functionality if in case you have a regulatory or compliance want that requires you to keep up your encryption keys exterior of an AWS knowledge heart. Only allow XKS for the basis keys that assist your most important workloads. Not all of your knowledge classification classes would require exterior storage of root keys. Keep the info set protected by XKS to the minimal to satisfy your regulatory necessities, and proceed to make use of AWS KMS buyer managed keys—absolutely below your management—for the remainder.
Some prospects for which exterior key storage just isn’t a compliance requirement have additionally requested for this characteristic up to now, however all of them ended up accepting one of many current AWS KMS choices for cloud-based key storage and utilization as soon as they realized that the perceived safety advantages of an XKS-like answer didn’t outweigh the operational price.
What Changes and What Stays the Same?
I attempted to summarize the adjustments for you.
| What is equivalent to plain AWS KMS keys |
What is altering |
|
The supported AWS KMS APIs and key identifiers (ARN) are equivalent. AWS companies that assist buyer managed keys will work with XKS. The solution to defend entry and monitor entry from the AWS aspect is unchanged. XKS makes use of the identical IAM insurance policies and the identical key insurance policies. API calls are logged in AWS CloudPath, and AWS CloudWatch has the utilization metrics. The pricing is identical as different AWS KMS keys and API operations. |
XKS doesn’t assist uneven or HMAC keys managed within the HSM you present. You now personal the issues of availability, sturdiness, efficiency, and latency boundaries of your encryption key operations. You can implement one other layer of authorization, auditing, and monitoring at XKS proxy degree. XKS resides in your community. While the KMS value stays the identical, your bills are more likely to go up considerably to acquire an HSM and keep your aspect of the XKS-related infrastructure in operational situation. |
An Open Specification
For these strictly regulated workloads, we’re growing XKS as an open interoperability specification. Not solely have we collaborated with the key distributors I discussed already, however we additionally opened a GitHub repository with the next supplies:
- The XKS proxy API specification. This describes the format of the generic requests KMS sends to an XKS proxy and the responses it expects. Any HSM vendor can use the specification to create an XKS proxy for his or her HSM.
- A reference implementation of an XKS proxy that implements the specification. This code may be tailored by HSM distributors to create a proxy for his or her HSM.
- An XKS proxy check shopper that can be utilized to examine if an XKS proxy complies with the necessities of the XKS proxy API specification.
Other distributors, akin to SalesForce, introduced their very own XKS answer permitting their prospects to decide on their very own key administration answer and plug it into their answer of alternative, together with Gross salesForce.
Pricing and Availability
External Key Store is offered at no further price on high of AWS KMS. AWS KMS prices $1 per root key monthly, regardless of the place the important thing materials is saved, on KMS, on CloudHSM, or by yourself on-premises HSM.
For a full record of Regions the place AWS KMS XKS is at the moment out there, go to our technical documentation.
If you assume XKS will assist you to to satisfy your regulatory necessities, take a look at the technical documentation and the XKS FAQ.