Managing KMS keys in an external key store

To create, view, manage, use, and schedule deletion of the KMS keys in an external key store, you use procedures that are very similar to those you use for other KMS keys. However, when you create a KMS key in an external key store, you specify an external key store and an external key. When you use a KMS key in an external key store, encryption and decryption operations are performed by your external key manager using the specified external key.

AWS KMS cannot create, view, update, or delete any cryptographic keys in your external key manager. AWS KMS never directly accesses your external key manager or any external key. All requests for cryptographic operations are mediated by your external key store proxy. To use a KMS key in an external key store, the external key store that hosts the KMS key must be connected to its external key store proxy.

Supported features

In addition to the procedures discussed in this section, you can do the following with KMS keys in an external key store:

Use key policies, IAM policies, and grants to control access to the KMS keys.
Enable and disable the KMS keys. These actions do not affect the external key in your external key manager.
Assign tags and create aliases, and use attribute-based access control (ABAC) to authorize access to the KMS keys.
Use the KMS keys with AWS services that integrate with AWS KMS and support customer managed keys.

Unsupported features

External key stores support only symmetric encryption KMS keys. You cannot create HMAC KMS keys or asymmetric KMS keys in an external key store.
GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext are not supported on KMS keys in an external key store.
You cannot use an AWS CloudFormation template to create an external key store or a KMS key in an external key store.
Multi-Region keys are not supported in an external key store.
KMS keys with imported key material are not supported in an external key store.
Automatic key rotation is not supported for KMS keys in an external key store.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deleting an external key store

Creating KMS keys in an external key store