I'm navigating some compliance issues and I need clarity on something regarding AWS KMS. The regulator has stated that "Encryption keys used for the encryption of institution data are unique and not shared with other users of the cloud service." I understand that when I use a customer-managed key (CMK) in AWS backed by KMS, the resulting key material is dedicated to my KMS key. But, my question is whether the source key material (keymat) in AWS KMS is exclusively for my tenant or if it's shared among multiple tenants in the same region.
3 Answers
AWS KMS does not reuse the source key material for other customers. Additionally, it doesn't copy key material across regions unless you set up a multi-region key with explicit replication. Using a CMK generally satisfies requirements for regulations like SOX or SOC 2 since you control the access permissions with key policies or grants. If you're looking for more security, consider CloudHSM, but keep in mind it comes with higher costs and operational overhead, like managing backups.
The CMK you create in AWS KMS is unique to your AWS account, provided that you don't share it. However, the underlying key material does originate from shared infrastructure, like the HSMs AWS uses for the KMS service.
I get that, but my auditors are being a bit picky. I need to clarify whether the source key material in the AWS HSM is dedicated to my organization or if it’s shared.
Yes, the key material is dedicated to your use. A shared key material would mean that different keys could be swapped for one another, which isn't how it works.
This is spot on! Also, don’t forget to check AWS Artifact for compliance standards related to KMS; it can provide useful language for both internal and external audits.