Amazon XKS (External Key Store)

external key stores enable you to protect your aws resources by using cryptographic keys outside of aws this advanced feature is designed for regulated workloads that you must protect with encryption keys stored in an external key management system that you control external key stores support the aws digital sovereignty pledge ( aws amazon com/blogs/security/aws digital sovereignty pledge control without compromise/ ) to give you sovereign control over your data in aws, including the ability to encrypt with key material that you own and control outside of aws for a detailed review of the xks components and structure, see xks architecture docid 577jfy0mkcvtf6fu51gdd what is {{ch}} ? {{ch}} is the most flexible and versatile cryptographic platform in the industry, combining every cryptographic function within our extensive solution suite you can operate {{ch}} within a simple web dashboard to deploy virtual cryptographic modules, fulfilling most use cases in the amazon xks integration, {{ch}} serves as the external key manager, backing the custom key store and providing users with precise control over their keys and the cryptographic operations performed with them how external key stores work an external key store is a custom key store ( docs aws amazon com/kms/latest/developerguide/key store overview\ html#custom key store overview ) backed by an external key manager that you own and manage outside of aws your external key manager can be physical hardware security modules (hsms) virtual hardware security modules any hardware based or software based system capable of generating and using cryptographic keys encryption and decryption operations that use a kms key in an external key store are performed by your external key manager using your cryptographic key material, a feature known as hold your own key (hyok) architecture and components aws kms never interacts directly with your external key manager, and cannot create, view, manage, or delete your keys instead aws kms interacts only with external key store proxy https //docs aws amazon com/kms/latest/developerguide/keystore external html#concept xks proxy (xks proxy) software that you provide your external key store proxy mediates all communication between aws kms and your external key manager the proxy transmits all requests from aws kms to your external key manager the proxy translates generic requests from aws kms into a vendor specific format for your external key manager for a detailed review of the xks components and structure, see xks architecture docid 577jfy0mkcvtf6fu51gdd use cases and service integration you can use kms keys in an external key store for client side encryption, including with the aws encryption sdk https //docs aws amazon com/encryption sdk/latest/developer guide/ server side encryption, protecting your aws resources in multiple aws services with your cryptographic keys outside of aws aws services that support customer managed keys ( docs aws amazon com/kms/latest/developerguide/concepts html#customer cmk ) for symmetric encryption also support kms keys in an external key store for service support details, see aws service integration ( aws amazon com/kms/features/#aws service integration ) control over the root of trust external key stores let you control the root of trust keep the following concerns in mind only the external key manager that you control can decrypt data encrypted under kms keys in your external key store if you temporarily revoke access to your external key manager (by disconnecting the external key store or disconnecting your external key manager from the proxy), aws loses all access to your cryptographic keys until you restore it during disconnection, nothing can decrypt ciphertext encrypted under your kms keys if you permanently revoke access to your external key manager, all ciphertext encrypted under a kms key in your external key store becomes unrecoverable the only exceptions are aws services that briefly cache the data keys ( docs aws amazon com/kms/latest/developerguide/data keys html ) protected by your kms keys these data keys continue to work until you deactivate the resource or the cache expires for details about how unusable kms keys affect data keys, see ( docs aws amazon com/kms/latest/developerguide/unusable kms keys html ) important considerations external key stores unblock use cases for regulated workloads where encryption keys must remain solely under your control and inaccessible to aws however, the following considerations are relevant this represents a major change in the way you operate cloud based infrastructure it creates a significant shift in the shared responsibility model for most workloads, the additional operational burden and greater risks to availability and performance exceed the perceived security benefits learn more learn more about the basic terms and concepts used in external key stores ( docs aws amazon com/kms/latest/developerguide/keystore external html#xks concepts )