Planning an external key store - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Planning an external key store

Before creating your external key store, choose the connectivity option that determines how Amazon KMS communicates with your external key store components. The connectivity option that you choose determines the remainder of the planning process.

Learn more:

  • Review the process for creating an external key store, including assembling the prerequisites. It will help you to ensure that you have all of the components you need when you create your external key store.

  • Learn how to control access to your external key store, including the permissions that external key store administrators and users require.

  • Learn about the Amazon CloudWatch metrics and dimensions that Amazon KMS records for external key stores. We strongly recommend that you create alarms to monitor your external key store so you can detect the early signs of performance and operational problems.

Choosing a proxy connectivity option

If you are creating an external key store, you need to determine how Amazon KMS communicates with your external key store proxy. This choice will determine which components you need and how you configure them. Amazon KMS supports the following connectivity options. Choose the option that meets your performance and security goals.

Before you begin, confirm that you need an external key store. Most customer can use KMS keys backed by Amazon KMS key material.

Note

If your external key store proxy is built into your external key manager, your connectivity might be predetermined. For guidance, consult the documentation for your external key manager or external key store proxy.

You can change your external key store proxy connectivity option even on an operating external key store. However, the process must be carefully planned and executed to minimize disruption, avoid errors, and ensure continued access to the cryptographic keys that encrypt your data.

Public endpoint connectivity

Amazon KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint.

This connectivity option is easier to set up and maintain, and it aligns well with some models of key management. However, it might not fulfill the security requirements of some organizations.


                    Public endpoint connectivity

Requirements

If you choose public endpoint connectivity, the following are required.

  • Your external key store proxy must be reachable at a publicly routable endpoint.

  • You can use the same public endpoint for multiple external key stores provided that they use different proxy URI path values.

  • You cannot use the same endpoint for an external key store with public endpoint connectivity and any external key store with VPC endpoint services connectivity in the same Amazon Web Services Region, even if the key stores are in different Amazon Web Services accounts.

  • You must obtain a TLS certificate issued by a public certificate authority supported for external key stores. For a list, see Trusted Certificate Authorities.

    The subject common name (CN) on the TLS certificate must match the domain name in the proxy URI endpoint for the external key store proxy. For example, if the public endpoint is https://myproxy.xks.example.com, the TLS, the CN on the TLS certificate must be myproxy.xks.example.com or *.xks.example.com.

  • Ensure that any firewalls between Amazon KMS and the external key store proxy allow traffic to and from port 443 on the proxy. Amazon KMS communicates on port 443. This value is not configurable.

For all requirements for an external key store, see the Assemble the prerequisites.

VPC endpoint service connectivity

Amazon KMS connects to the external key store proxy (XKS proxy) by creating an interface endpoint to an Amazon VPC endpoint service that you create and configure. You are responsible for creating the VPC endpoint service and for connecting your VPC to your external key manager.

Your endpoint service can use any of the supported network-to-Amazon VPC options for communications, including Amazon Direct Connect.

This connectivity option is more complicated to set up and maintain. But it uses Amazon PrivateLink, which enables Amazon KMS to privately connect to your Amazon VPC and your external key store proxy without using the public internet.

You can locate your external key store proxy in your Amazon VPC.


                    VPC endpoint service connectivity - XKS proxy in your VPC

Or, locate your external key store proxy outside of Amazon and use your Amazon VPC endpoint service only for secure communication with Amazon KMS.


                    VPC endpoint service connectivity - XKS proxy outside of Amazon