FSISEC09: How are you managing your encryption keys?

In addition to implementing the data protection recommendations applicable to any company seen in the AWS Well-Architected Framework Security Pillar, financial institutions often have additional industry-specific requirements that can influence the management of cryptographic keys.

FSISEC09-BP01 Consider compliance obligations regarding location of cryptographic keys

AWS Key Management Service (AWS KMS) uses an envelope encryption strategy, which consists of encrypting plaintext data with a data key, and then encrypting the data key with another key. AWS KMS keys are created in AWS KMS and never leave AWS KMS unencrypted.

AWS KMS supports three types of keys: customer-managed keys, AWS managed keys, and AWS owned keys (for more information, see the AWS KMS concepts). For many FSI customers, customer-managed keys are the preferred option, because they allow for control of the permissions to use keys from their applications or AWS services. It also provides added flexibility for key generation and storage.

Although it's less common, AWS customers who have a compliance or regulatory need to store and use their encryption keys on-premises or outside of the AWS Cloud can do so by using external key stores.

Prescriptive guidance

• Work backwards from your company's compliance objectives and security standards in order to determine the right encryption method for your use case.

  • Leverage AWS audit reports, available for download at AWS Artifact, to understand the controls implemented by AWS, and tested for operating effectiveness by third-party auditors on AWS KMS.

  • Review the list of services that you are using for your workload to understand how AWS KMS integrates with the service.

  • Review AWS Encryption SDK with AWS KMS integration if your application needs to encrypt data client-side.

• Evaluate the differences between different key types in AWS KMS.

• When using customer managed keys, consider the default key store to provide the best balance between agility, security, data sovereignty, and availability.

• Consider using custom key stores with AWS CloudHSM or the external key store to adhere to specific compliance obligations.

Resources

Related documents:

• How Financial Institutions can Select the Appropriate Controls to Protect Sensitive Data

• Announcing AWS KMS External Key Store (XKS)

Related videos:

• AWS re:Invent 2022 – Protecting secrets, keys, and data: Cryptography for the long term

• AWS re:Invent 2022 – AWS data protection: Using locks, keys, signatures, and certificates

• AWS re:Invent 2022 – Introducing AWS KMS external keys