AWS-managed and Customer-managed CMKs - AWS Key Management Service Best Practices

AWS-managed and Customer-managed CMKs

CMKs can be broken down into two general types: AWS-managed and customer-managed. An AWS-managed CMK is created when you choose to enable server-side encryption of an AWS resource under the AWS-managed CMK for that service for the first time (e.g., SSE-KMS). The AWS-managed CMK is unique to your AWS account and the Region in which it’s used. An AWS-managed CMK can only be used to protect resources within the specific AWS service for which it’s created. It does not provide the level of granular control that a customer-managed CMK provides. For more control, a best practice is to use a customer-managed CMK in all supported AWS services and in your applications. A customer-managed CMK is created at your request and should be configured based upon your explicit use case.

The following chart summarizes the key differences and similarities between AWS-managed CMKs and customer-managed CMKs.

AWS-managed CMK Customer-managed CMK
Creation AWS generated on customer’s behalf Customer generated
Rotation Once every three years automatically Once a year automatically through opt-in or on-demand manually
Deletion Can’t be deleted Can be deleted
Scope of use Limited to a specific AWS service Controlled via KMS/IAM policy
Key Access Policy AWS managed Customer managed
User Access Management IAM policy IAM policy

For customer-managed CMKs, you have two options for creating the underlying key material. When you choose to create a CMK using AWS KMS, you can let KMS create the cryptographic material for you, or you can choose to import your own key material. Both of these options provide you with the same level of control and auditing for the use of the CMK within your environment. The ability to import your own cryptographic material allows you to do the following:

  • Prove that you generated the key material using your approved source that meets your randomness requirements.

  • Use key material from your own infrastructure with AWS services, and use AWS KMS to manage the lifecycle of that key material within AWS.

  • Gain the ability to set an expiration time for the key material in AWS and manually delete it, but also make it available again in the future.

  • Own the original copy of the key material, and to keep it outside of AWS for additional durability and disaster recovery during the complete lifecycle of the key material.

The decision to use imported key material or KMS-generated key material would depend on your organization’s policies and compliance requirements.