Durability protection - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Durability protection

Additional service durability for keys generated by the service is provided by the use of offline HSMs, multiple nonvolatile storage of exported domain tokens, and redundant storage of encrypted KMS keys. The offline HSMs are members of the existing domains. With the exception of not being online and participating in the regular domain operations, the offline HSMs appear identically in the domain state as the existing HSM members.

The durability design is intended to protect all KMS keys in a Region should Amazon experience a wide-scale loss of either the online HSMs or the set of KMS keys stored within our primary storage system. Amazon KMS keys with imported key material are not included under the durability protections afforded other KMS keys. In the event of a Regionwide failure in Amazon KMS, imported key material may need to be reimported into a KMS key.

The offline HSMs, and the credentials to access them, are stored in safes within monitored safe rooms in multiple independent geographical locations. Each safe requires at least one Amazon security officer and one Amazon KMS operator, from two independent teams in Amazon, to obtain these materials. The use of these materials is governed by internal policy requiring a quorum of Amazon KMS operators to be present.