Replication process for multi-Region keys - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Replication process for multi-Region keys

Amazon KMS uses a cross-Region replication mechanism to copy the key material in a KMS key from an HSM in one Amazon Web Services Region to an HSM in a different Amazon Web Services Region. For this mechanism to work, the KMS key that is being replicated must be a multi-Region key. When replicating a KMS key from one Region to another, the HSMs in the Regions cannot communicate directly, because they're in isolated networks. Instead, the messages exchanged during the cross-Region replication are delivered by a proxy service.

During cross-Region replication, every message generated by an Amazon KMS HSM is cryptographically signed using a replication signing key. Replication signing keys (RSKs) are ECDSA keys on the NIST P-384 curve. Every Region owns at least one RSK, and the public component of each RSK is shared with every other Region in the same Amazon partition.

The cross-Region replication process to copy key material from Region A to Region B works as follows:

  1. The HSM in Region B generates an ephemeral ECDH key on the NIST P-384 curve, Replication Agreement Key B (RAKB). The public component of RAKB is sent to an HSM in Region A by the proxy service.

  2. The HSM in Region A receives the public component of RAKB and then generates another ephemeral ECDH key on the NIST P-384 curve, Replication Agreement Key A (RAKA). The HSM runs the ECDH key establishment scheme on RAKA and the public component of RAKB, and derives a symmetric key from the output, the Replication Wrapping Key (RWK). The RWK is used to encrypt the key material of the multi-Region KMS key that is being replicated.

  3. The public component of RAKA​ and the key material encrypted with the RWK are sent to the HSM in Region B through the proxy service.

  4. The HSM in Region B receives the public component of RAKA and the key material encrypted using the RWK. The HSM derives by RWK by running the ECDH key establishment scheme on RAKB and the public component of RAKA.

  5. The HSM in Region B use the RWK to decrypt the key material from Region A.