Use envelope encryption with customer master keys - Financial Services Industry Lens

Use envelope encryption with customer master keys

FSISEC15: How are you managing your encryption keys?

AWS KMS solution uses an envelope encryption strategy with customer master keys (CMKs). Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key. Use CMKs to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data. CMKs are created in AWS KMS and never leave AWS KMS unencrypted.

AWS KMS supports three types of CMKs: Customer-managed CMKs, AWS managed CMKs, and AWS owned CMKs (for more information see here - Customer master keys (CMKs) in the AWS KMS Developer Guide). For many FSI customers, Customer-managed CMK will be the preferred option because it allows for control of the permissions to use keys from any of their applications or AWS services. Customer-managed CMKs also provide added flexibility for key generation and storage. In addition, every use of a key or modification to its policy is logged to AWS CloudTrail for auditing purposes.