AWS KMS key management - Amazon Aurora

AWS KMS key management

Amazon Aurora automatically integrates with AWS Key Management Service (AWS KMS) for key management. Amazon Aurora uses envelope encryption. For more information about envelope encryption, see Envelope encryption in the AWS Key Management Service Developer Guide.

An AWS KMS key is a logical representation of a key. The KMS key includes metadata, such as the key ID, creation date, description, and key state. The KMS key also contains the key material used to encrypt and decrypt data. For more information about KMS keys, see AWS KMS keys in the AWS Key Management Service Developer Guide.

You can manage KMS keys used for Amazon Aurora encrypted DB clusters using the AWS Key Management Service (AWS KMS) in the AWS KMS console, the AWS CLI, or the AWS KMS API. If you want full control over a KMS key, then you must create a customer managed key. For more information about customer managed keys, see Customer managed keys in the AWS Key Management Service Developer Guide.

AWS managed keys are KMS keys in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS. You can't delete, edit, or rotate AWS managed keys. For more information about AWS managed keys, see AWS managed keys in the AWS Key Management Service Developer Guide.

You can't share a snapshot that has been encrypted using the AWS managed key of the AWS account that shared the snapshot.

You can view audit logs of every action taken with an AWS managed or customer managed key by using AWS CloudTrail.

Important

If you disable or revoke permissions to a KMS key used by an RDS database, RDS puts your database into a terminal state when access to the KMS key is required. This change could be immediate, or deferred, depending on the use case that required access to the KMS key. In this state, the DB cluster is no longer available, and the current state of the database can't be recovered. To restore the DB cluster, you must re-enable access to the KMS key for RDS, and then restore the DB cluster from the latest available backup.

Authorizing use of a customer managed key

When Aurora uses a customer managed key in cryptographic operations, it acts on behalf of the user who is creating or changing the Aurora resource.

To use the customer managed key for an Aurora resource on your behalf, a user must have permissions to call the following operations on the customer managed key:

  • kms:GenerateDataKey

  • kms:Decrypt

You can specify these required permissions in a key policy, or in an IAM policy if the key policy allows it.

You can make the IAM policy stricter in various ways. For example, to allow the customer managed key to be used only for requests that originate in Aurora, you can use the kms:ViaService condition key with the rds.<region>.amazonaws.com value.

You can also use the keys or values in the encryption context as a condition for using the customer managed key for cryptographic operations.

For more information, see Allowing users in other accounts to use a KMS key in the AWS Key Management Service Developer Guide.