Data protection in Amazon Key Management Service
Amazon Key Management Service stores and protects your encryption keys to make them highly available while providing you with strong and flexible access control.
Protecting key material
By default, Amazon KMS generates and protects the cryptographic key material for KMS keys. In addition, Amazon KMS offers options for key material that is created and protected outside of Amazon KMS. For technical details about KMS keys and key material, see Amazon Key Management Service Cryptographic Details.
Protecting key material generated in Amazon KMS
When you create a KMS key, by default, Amazon KMS generates and protects the cryptographic material for the KMS key.
To safeguard key material for KMS keys, Amazon KMS relies on a distributed fleet of FIPS 140-2 Security Level 3–validated
The key material for a KMS key is encrypted by default when it is generated in the HSM. The key material is decrypted only within HSM volatile memory and only for the few milliseconds that it takes to use it in a cryptographic operation. Whenever the key material is not in active use, it is encrypted within the HSM and transferred to highly durable (99.999999999%), low-latency persistent storage where it remains separate and isolated from the HSMs. Plaintext key material never leaves the HSM security boundary; it is never written to disk or persisted in any storage medium. (The only exception is the public key of an asymmetric key pair, which is not secret.)
Amazon asserts as a fundamental security principle that there is no human interaction with plaintext cryptographic key material of any type in any Amazon Web Service. There is no mechanism for anyone, including Amazon Web Service operators, to view, access, or export plaintext key material. This principle applies even during catastrophic failures and disaster recovery events. Plaintext customer key material in Amazon KMS is used for cryptographic operations within Amazon KMS FIPS validated HSMs only in response to authorized requests made to the service by the customer or their delegate.
For customer managed keys, the Amazon Web Services account that creates the key is the sole and non-transferable owner of the key. The owning account has complete and exclusive control over the authorization policies that control access to the key. For Amazon managed keys, the Amazon Web Services account has complete control over the IAM policies that authorize requests to the Amazon Web Service.
Protecting key material generated outside of Amazon KMS
Amazon KMS provides alternatives to key material generated in Amazon KMS.
Custom key stores, an optional Amazon KMS
feature, let you create KMS keys backed by key material that is generated and used outside
of Amazon KMS. KMS keys in Amazon CloudHSM key stores are backed
by keys in Amazon CloudHSM hardware security modules that you control. These HSMs are certified at
FIPS
140-2 Security Level 3
Another optional feature lets you import the key material for a KMS key. To protect imported key material while it is in transit to Amazon KMS, you encrypt the key material using a public key from an RSA key pair generated in an Amazon KMS HSM. The imported key material is decrypted in an Amazon KMS HSM and re-encrypted under a symmetric key in the HSM. Like all Amazon KMS key material, plaintext imported key material never leaves the HSMs unencrypted. However, the customer who provided the key material is responsible for secure use, durability, and maintenance of the key material outside of Amazon KMS.
Data encryption
The data in Amazon KMS consists of Amazon KMS keys and the encryption key material they represent. This key material exists in plaintext only within Amazon KMS hardware security modules (HSMs) and only when in use. Otherwise, the key material is encrypted and stored in durable persistent storage.
The key material that Amazon KMS generates for KMS keys never leaves the boundary of Amazon KMS HSMs unencrypted. It is not exported or transmitted in any Amazon KMS API operations. The exception is for multi-Region keys, where Amazon KMS uses a cross-Region replication mechanism to copy the key material for a multi-Region key from an HSM in one Amazon Web Services Region to an HSM in a different Amazon Web Services Region. For details, see Replication process for multi-Region keys in Amazon Key Management Service Cryptographic Details.
Encryption at rest
Amazon KMS generates key material for Amazon KMS keys in FIPS
140-2 Security Level 3
Encryption and management of key material for KMS keys is handled entirely by Amazon KMS.
For more details, see Working with Amazon KMS keys in Amazon Key Management Service Cryptographic Details.
Encryption in transit
Key material that Amazon KMS generates for KMS keys is never exported or transmitted in Amazon KMS API operations. Amazon KMS uses key identifiers to represent the KMS keys in API operations. Similarly, key material for KMS keys in Amazon KMS custom key stores is non-exportable and never transmitted in Amazon KMS or Amazon CloudHSM API operations.
However, some Amazon KMS API operations return data keys. Also, customers can use API operations to import key material for selected KMS keys.
All Amazon KMS API calls must be signed and transmitted using Transport Layer Security (TLS). Amazon KMS requires TLS 1.2 and recommends TLS 1.3 in all regions. Amazon KMS also supports hybrid post-quantum TLS for Amazon KMS service endpoints in all regions, except China Regions. Amazon KMS does not support hybrid post-quantum TLS for FIPS endpoints in Amazon GovCloud (US). Calls to Amazon KMS also require a modern cipher suite that supports perfect forward secrecy, which means that compromise of any secret, such as a private key, does not also compromise the session key.
If you require FIPS 140-2 validated cryptographic modules when accessing Amazon through a
command line interface or an API, use a FIPS endpoint. To use standard Amazon KMS
endpoints or Amazon KMS FIPS endpoints, clients
must support TLS 1.2 or later. For more information
about the available FIPS endpoints, see Federal Information Processing Standard (FIPS) 140-2
Communications between Amazon KMS service hosts and HSMs are protected using Elliptic Curve Cryptography (ECC) and Advanced Encryption Standard (AES) in an authenticated encryption scheme. For more details, see Internal communication security in Amazon Key Management Service Cryptographic Details.
Internetwork traffic privacy
Amazon KMS supports an Amazon Web Services Management Console and a set of API operations that enable you to create and manage Amazon KMS keys and use them in cryptographic operations.
Amazon KMS supports two network connectivity options from your private network to Amazon.
-
An IPSec VPN connection over the internet
-
Amazon Direct Connect
, which links your internal network to an Amazon Direct Connect location over a standard Ethernet fiber-optic cable.
All Amazon KMS API calls must be signed and be transmitted using Transport Layer Security
(TLS). The calls also require a modern cipher suite that supports perfect forward secrecy
To connect directly to Amazon KMS from your virtual private cloud (VPC) without sending traffic over the public internet, use VPC endpoints, powered by Amazon PrivateLink. For more information, see Connecting to Amazon KMS through a VPC endpoint.
Amazon KMS also supports a hybrid post-quantum key exchange option for the Transport Layer Security (TLS) network encryption protocol. You can use this option with TLS when you connect to Amazon KMS API endpoints.