Amazon XKS (External Key Store)

external key stores enable you to protect your aws resources by using cryptographic keys outside of aws this advanced feature is designed for regulated workloads that you must protect with encryption keys stored in an external key management system that you control external key stores support the aws digital sovereignty pledge https //aws amazon com/blogs/security/aws digital sovereignty pledge control without compromise/ to give you sovereign control over your data in aws, including the ability to encrypt with key material that you own and control outside of aws how external key stores work an external key store is a custom key store https //docs aws amazon com/kms/latest/developerguide/key store overview\ html#custom key store overview backed by an external key manager that you own and manage outside of aws your external key manager can be physical hardware security modules (hsms) virtual hardware security modules any hardware based or software based system capable of generating and using cryptographic keys encryption and decryption operations that use a kms key in an external key store are performed by your external key manager using your cryptographic key material, a feature known as hold your own key (hyok) architecture and components aws kms never interacts directly with your external key manager, and cannot create, view, manage, or delete your keys instead aws kms interacts only with external key store proxy https //docs aws amazon com/kms/latest/developerguide/keystore external html#concept xks proxy (xks proxy) software that you provide your external key store proxy mediates all communication between aws kms and your external key manager the proxy transmits all requests from aws kms to your external key manager the proxy translates generic requests from aws kms into a vendor specific format for your external key manager use cases and service integration you can use kms keys in an external key store for client side encryption, including with the aws encryption sdk https //docs aws amazon com/encryption sdk/latest/developer guide/ server side encryption, protecting your aws resources in multiple aws services with your cryptographic keys outside of aws aws services that support customer managed keys https //docs aws amazon com/kms/latest/developerguide/concepts html#customer cmk for symmetric encryption also support kms keys in an external key store for service support details, see aws service integration https //aws amazon com/kms/features/#aws service integration control over the root of trust external key stores let you control the root of trust keep the following concerns in mind data encrypted under kms keys in your external key store can be decrypted only by using the external key manager that you control if you temporarily revoke access to your external key manager (by disconnecting the external key store or disconnecting your external key manager from the proxy), aws loses all access to your cryptographic keys until you restore it during disconnection, ciphertext encrypted under your kms keys can't be decrypted if you permanently revoke access to your external key manager, all ciphertext encrypted under a kms key in your external key store becomes unrecoverable the only exceptions are aws services that briefly cache the data keys protected by your kms keys these data keys continue to work until you deactivate the resource or the cache expires for details, see how unusable kms keys affect data keys important considerations external key stores unblock use cases for regulated workloads where encryption keys must remain solely under your control and inaccessible to aws however this represents a major change in the way you operate cloud based infrastructure it creates a significant shift in the shared responsibility model for most workloads, the additional operational burden and greater risks to availability and performance will exceed the perceived security benefits learn more learn more about the basic terms and concepts used in external key stores https //docs aws amazon com/kms/latest/developerguide/keystore external html#xks concepts