Managing KMS keys in an external key store - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Managing KMS keys in an external key store

To create, view, manage, use, and schedule deletion of the KMS keys in an external key store, you use procedures that are very similar to those you use for other KMS keys. However, when you create a KMS key in an external key store, you specify an external key store and an external key. When you use a KMS key in an external key store, encryption and decryption operations are performed by your external key manager using the specified external key.

Amazon KMS cannot create, view, update, or delete any cryptographic keys in your external key manager. Amazon KMS never directly accesses your external key manager or any external key. All requests for cryptographic operations are mediated by your external key store proxy. To use a KMS key in an external key store, the external key store that hosts the KMS key must be connected to its external key store proxy.

Supported features

In addition to the procedures discussed in this section, you can do the following with KMS keys in an external key store:

Unsupported features