Resilience in Amazon Key Management Service - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Resilience in Amazon Key Management Service

The Amazon global infrastructure is built around Amazon Web Services Regions and Availability Zones. Amazon Web Services Regions provide multiple physically separated and isolated Availability Zones, which are connected with low-latency, high-throughput, and highly redundant networking. With Availability Zones, you can design and operate applications and databases that automatically fail over between Availability Zones without interruption. Availability Zones are more highly available, fault tolerant, and scalable than traditional single or multiple data center infrastructures.

In addition to the Amazon global infrastructure, Amazon KMS offers several features to help support your data resiliency and backup needs. For more information about Amazon Web Services Regions and Availability Zones, see Amazon Global Infrastructure.

Regional isolation

Amazon Key Management Service (Amazon KMS) is a self-sustaining Regional service that is available in all Amazon Web Services Regions. The Regionally isolated design of Amazon KMS ensures that an availability issue in one Amazon Web Services Region cannot affect Amazon KMS operation in any other Region. Amazon KMS is designed to ensure zero planned downtime, with all software updates and scaling operations performed seamlessly and imperceptibly.

The Amazon KMS Service Level Agreement (SLA) includes a service commitment of 99.999% for all KMS APIs. To fulfill this commitment, Amazon KMS ensures that all data and authorization information required to execute an API request is available on all regional hosts that receive the request.

The Amazon KMS infrastructure is replicated in at least three Availability Zones (AZs) in each Region. To ensure that multiple host failures do not affect Amazon KMS performance, Amazon KMS is designed to service customer traffic from any of the AZs in a Region.

Changes that you make to the properties or permissions of a KMS key are replicated to all hosts in the Region to ensure that subsequent request can be processed correctly by any host in the Region. Requests for cryptographic operations using your KMS key are forwarded to a fleet of Amazon KMS hardware security modules (HSMs), any of which can perform the operation with the KMS key.

Multi-tenant design

The multi-tenant design of Amazon KMS enables it to fulfill the 99.999% availability SLA, and to sustain high request rates, while protecting the confidentiality of your keys and data.

Multiple integrity-enforcing mechanisms are deployed to ensure that the KMS key that you specified for the cryptographic operation is always the one that is used.

The plaintext key material for your KMS keys is protected extensively. The key material is encrypted in the HSM as soon as it is created, and the encrypted key material is immediately moved to secure, low latency storage. The encrypted key is retrieved and decrypted within the HSM just in time for use. The plaintext key remains in HSM memory only for the time needed to complete the cryptographic operation. Then it is re-encrypted in the HSM and the encrypted key is returned to storage. Plaintext key material never leaves the HSMs; it is never written to persistent storage.

For more information about the mechanisms that Amazon KMS uses to secure your keys, see Amazon Key Management Service Cryptographic Details.

Resilience best practices in Amazon KMS

To optimize resilience for your Amazon KMS resources, consider the following strategies.

  • To support your backup and disaster recovery strategy, consider multi-Region keys, which are KMS keys created in one Amazon Web Services Region and replicated only to Regions that you specify. With multi-Region keys, you can move encrypted resources between Amazon Web Services Regions (within the same partition) without ever exposing the plaintext, and decrypt the resource, when needed, in any of its destination Regions. Related multi-Region keys are interoperable because they share the same key material and key ID, but they have independent key policies for high-resolution access control. For details, see Multi-Region keys in Amazon KMS.

  • To protect your keys in a multi-tenant service like Amazon KMS, be sure to use access controls, including key policies and IAM policies. In addition, you can send your requests to Amazon KMS using a VPC interface endpoint powered by Amazon PrivateLink. When you do, all communication between your Amazon VPC and Amazon KMS is conducted entirely within the Amazon network using a dedicated Amazon KMS endpoint restricted to your VPC. You can further secure these requests by creating an additional authorization layer using VPC endpoint policies. For details, see Connecting to Amazon KMS through a VPC endpoint.