How Secure is Amazon’s Key Management Service (AWS KMS)?

Gregory Lebovitz
How Secure is Amazon’s Key Management Service (AWS KMS)?

Thousands of organizations use Amazon Web Services (AWS) to host their applications and manage their data in the cloud. The advantages of geographic availability, scalability and reliability make AWS a great resource. Due to recent and more frequently-occurring breaches in security in a number of environments, those organizations who have relinquished their control and have outsourced to service providers or security experts are questioning the secureness of their environments and their data. To mitigate customer concerns about security and encryption key management, AWS offers two options: AWS CloudHSM, a cloud-based hardware security module (HSM), and AWS key management services (AWS KMS). Each provides a distinct approach to managing encryption keys in the Amazon cloud.

AWS CloudHSM is designed for organizations that formerly used HSMs to manage encryption keys in their own data centers and would like to continue in the same vein by using HSMs provided and maintained by AWS. With CloudHSM, HSMs purchased, provisioned and managed by an organization within their own data centers are replaced by HSMs purchased, provisioned and managed by Amazon.

The second option, AWS KMS, is an ideal solution for organizations that want to manage encryption keys in conjunction with other AWS services. In contrast to AWS CloudHSM, AWS KMS provides a complete set of tools to manage encryption keys, develop applications and integrate with other AWS services.

AWS CloudHSM: HSMs in Amazon’s data centers

AWS CloudHSM eliminates the need for an organization to purchase and provision HSMs. In a widely-distributed cloud environment, provisioning becomes a needlessly complex administrative task; cloud providers are able to manage the provisioning process far more efficiently using their economies of scale, especially as customer data and processing needs grow. AWS CloudHSM easily scales by adding capacity on demand and in a far more cost-effective manner than with on-premises HSM provisioning. Capabilities and features of AWS CloudHSM include:

  • FIPS 140-2 Level 3-validated HSMs located in AWS data centers.
  • Administration via secure channel access to create users and manage HSM policies.
  • Encryption keys accessible only by authorized HSM users. AWS does not have access to customer encryption keys.
  • Exclusive, single-tenant access to HSMs in the Amazon Virtual Private Cloud.
  • Management of keys through the entire lifecycle: creation, distribution, rotation, refreshment and retirement.
  • Keys can be exported to other commercially-available HSMs.
  • Application integration using Public-Key Cryptography Standards #11 (PKCS#11), Java Cryptography Extensions (JCE) and Microsoft CryptoNG (CNG) libraries.

AWS Key Management Service: a rich set of management tools

AWS Key Management Service provides users with robust tools to manage their encryption keys in the Amazon cloud. As a service, AWS KMS scales easily to meet growing data and processing needs and benefits from the high availability of AWS. FIPS 140-2-validated hardware security modules located in AWS data centers securely store the keys. Unlike CloudHSM, AWS KMS also offers integration with other AWS services that use encryption keys. Capabilities and features of AWS KMS include:

  • Centralized encryption key management and control.
  • Key lifecycle management: creation, rotation, import, export, deletion and usage policy definition.
  • Plaintext keys cannot be retrieved from the service by anyone, including AWS employees.
  • Keys cannot be transmitted beyond the AWS regions where they were created.
  • Auditing via integration with AWS CloudTrail provides logs of all key usage.
  • AWS Management Console or AWS SDK may be used to add encryption to applications.

The challenge of encryption key management in multi-cloud environments

For organizations who use AWS exclusively as their cloud provider for data and applications, AWS CloudHSM or AWS KMS can easily meet their encryption key management needs. AWS CloudHSM is the choice for organizations preferring to manage encryption keys solely via the capabilities of an HSM, while AWS KMS is preferred for organizations that want HSM-level security and a rich set of tools to manage encryption keys used by other AWS services.

Within an AWS cloud environment, either of these encryption key management solutions is ideal. However, the majority of organizations use multiple cloud providers: According to the 2018 RightScale State of the Cloud report, 81% of respondents indicated that they employ a multicloud strategy. Per the report, organizations use almost five different public or private clouds on average. This presents a significant problem from the perspective of encryption key management: With each cloud provider offering a different solution for encryption key management, whether it be an HSM solution or a KMS solution, the average organization must learn multiple encryption key management strategies. In a market where security talent is tight, organizations using multicloud environments need a simpler way to securely manage their encryption keys.

HSM as a Service complements AWS in multicloud environments

Availability, scalability and a growing list of complementary services make AWS a top-of-mind choice when considering cloud service providers. However, when faced with the reality that AWS will likely be one of several different cloud providers used by your organization, you may need a consistent approach for encryption key management across all of those environments. The solution is an HSM as a Service approach that complements data management and application deployment strengths of leading cloud providers like AWS.

In keeping with the cloud model, HSM as a Service provides encryption key management services with capabilities and features similar to AWS KMS: on-demand implementation, centralized key control, lifecycle management, key import and export, auditing, cloud-friendly application programming interfaces (API) and software development kits (SDK) to support application integration, scalability and high availability. HSM as-a-Service offers four additional benefits to simplify key management and increase the security of data stored by cloud providers:

  1. Cloud neutrality to provide encryption key management for leading cloud platforms like AWS, Google, Azure, IBM and Oracle.
  2. HSM-level security without the need for HSM hardware through the use of Fortanix and Intel SGX to manage encryption key security and execute code in a secure environment.
  3. Enhanced data security by storing encryption keys separately-both physically and logically-from the data they encrypt.
  4. Interconnectivity with multiple cloud solution providers (CSP) via public internet or private interconnection enabled by the Equinix Cloud Exchange™ backbone across global Equinix data centers.

The HSM as-a-Service approach to encryption key management is provided as SmartKey from Equinix. SmartKey simplifies provisioning and control of encryption keys in private, public, hybrid and multicloud environments. More importantly, it can increase the security of data stored by AWS by securely managing encryption keys separately from the encrypted data.

If AWS is one of your cloud providers

If you’re in the majority of organizations using multiple cloud providers to support your diverse data and application needs, or if you’ll soon expand beyond the sole usage of AWS for cloud support, we would like to invite you to take a few minutes to learn how to simplify encryption key management across multiple cloud platforms without sacrificing security by signing up for a free SmartKey trial. Encryption key management in AWS and other leading cloud environments is a challenge for any organization, particularly when multiple cloud providers are involved. Equinix SmartKey makes this process more efficient and more secure, allowing organizations the chance to get the most out of AWS and other environments without compromising data security.

Subscribe to the Equinix Blog