AWS BYOK

this integration guide covers integration between the {{k3}} and aws cloud key management about aws key management service (kms) aws key management service (kms) enables you to create, manage, and use cryptographic keys in aws services and your applications it is a secure and resilient service and integrates with aws cloudtrail to provide logs of all key usage to help meet your regulatory and compliance needs refer to the following url for more information about aws kms https //docs aws amazon com/kms/index html customer managed keys customer managed keys are kms keys in your aws account that you create, own, and manage you have full control over these kms keys, including establishing and maintaining their key policies, iam policies, and grants you can perform the following tasks enable and disable them rotate their cryptographic material add tags create aliases that refer to the kms keys schedule the kms keys for deletion customer managed keys appear on the customer managed keys page of the aws management console for aws kms the customer managed keys feature also enables you to import existing symmetric keys into aws kms thus, for this integration, you can create symmetric hsm protected keys on a {{k3}} device and then push those keys to the aws kms from the {{k}} application interface you can use keys pushed to aws kms with the following services inside aws amazon s3 the transparent data encryption functionality in amazon rds and amazon dynamodb amazon route 53 aws lambda aws kms also has its own api that you can use with your applications to access and use keys stored in aws kms for this integration, create and store keys on the {{k3}} , synchronized to aws kms, and then subsequently manage them through the {{k}} application interface key integration benefits the aws kms and {{k3}} integration provides the following benefits key provenance you are the sole owner of your keys, so you can control their location and distribution added assurance keys created on the {{k}} and imported into aws kms never leave the hsm boundary even after they are in aws kms, the keys are stored on hardware security modules on the backend centralized key management you can manage your keys and access policies from a single location and user interface, whether the data they protect resides in the cloud or on your premises audit compliance many audits require you to escrow keys outside of the cloud provider you can do this through this integration integration overview to integrate {{k3}} with aws cloud key management, you must perform the following tasks create communication credentials create a customer managed key in aws kms create and push keys from {{k}} to aws kms the following sections describe how to perform these tasks and how to monitor their progress and audit logs