Encryption Key Management is a major function of online systems that requires lots of organization and no one will ever notice your efforts if things go right. Yet, if you screw it up, the world will come crashing down. Enter, KMS and its good buddy CloudHSM.
KMS is a managed service that makes it easy for your to create, control, rotate and use encryption keys. It uses asymmetric encryption (2 different keys). Symmetric is not supported. The Customer Master Key is the default key used by KMS to encrypt/decrypt the data key; the encrypted data key is stored with the data.
Highly Performant - Very durable, low latency, and High Throughput
IAM Access controlled
Regional Independence - your key can’t travel the world…
Integrated with AWS CloudTrail & Cloud watch; KMS keys are single region
Full AWS API, CLI and SDK suppot
pay per API call; can encrypt/decrypt up to 4KB in size
Roles need access to ‘admin’ access the key to USE the key. Role, users and external users can be granted the ability to use the key. Keys can be rotated yearly and KMS magically uses the right key when decrypting data.
Types of Customer Master Keys (CMK)
|type||Can view||can manage||dedicated to my account|
|AWS owned CMK||no||yes||no|
CloudHSM is a single tenant hardware security module that must in a VPC. There is very limited integration with AWS services with only Oracle, MS SQL, and Redshift well supported. There is no AWS API into this thing… One big use case is SSL decryption. S3, KMS, and EBS encryption are possible but integration applications must be written.
AWS does not have access to the contents of your module. If you loose the keys, they are lost if you did not have a copy.
CloudTrail integration is supported. Syslog is as well.
CloudHSM would be great if you need FIPS 140-2 level 3 validation and don’t mind fixed cost of $5k per module. And you are responsible for the HA part so really you need 2 HSM… with a cost of $10k. And a $5k setup fee per region plus an hourly fee.
The HSM does work with peered VPC as well. The HSM module is a cross-AZ cluster and is accessed using an ENI in a public subnet of the VPC.
HSM or KMS ?
Overall, KMS is probably adequate unless additional protection is necessary for some applications and data that are subject to strict contractual or regulatory requirements for managing cryptographic keys, then HSM should be used.
normal, or moderate security requirements? KMS
Integrate w/ AWS services other than S3, EBS, EC2, Redshift & RDS? KMS
Low variable costs based on usage? KMS
Centralize Key Management onsite & AWS? HSM
FIPS 140-2 Level 1 or Level 2: KMS
FIPS 140-2 level 3? KMS
Complete Key Control? HSM
High-performance in-VPC cryptographic acceleration (bulk crypto) (including Apache and Nginx for SSL offload)? HSM
PKCS#11, Java Cryptopgraphy extensions (JCE), Microsoft CryptoNG? HSM