Key Creation and Management - AWS Key Management Service Best Practices

Key Creation and Management

Since AWS makes creating and managing keys easy through the use of AWS KMS, we recommend that you have a plan for how to use the service to best control the blast radius around individual keys. Previously, you may have used the same key across different geographic regions, environments, or even applications. With AWS KMS, you should define data classification levels and have at least one CMK per level. For example, you could define a CMK for data classified as “Confidential,” and so on. This ensures that authorized users only have permissions for the key material that they require to complete their job.

You should also decide how you want to manage usage of AWS KMS. Creating KMS keys within each account that requires the ability to encrypt and decrypt sensitive data works best for most customers, but another option is to share the CMKs from a few centralized accounts. Maintaining the CMKs in the same account as the majority of the infrastructure using them helps users provision and run AWS services that use those keys. AWS services don’t allow for cross-account searching unless the principal doing the searching has explicit List* permissions on resources owned by the external account. This can also only be accomplished via the CLI or SDK, and not through service console-based searches. Additionally, by storing the credentials in the local accounts, it might be easier to delegate permissions to individuals who know the IAM principals that require access to the specific CMKs. If you were sharing the keys via a centralized model, the AWS KMS administrators would need to know the full Amazon Resource Name (ARN) for all users of the CMKs to ensure least privilege. Otherwise, the administrators might provide overly permissive permissions on the keys.

Your organization should also consider the frequency of rotation for CMKs. Many organizations rotate CMKs yearly. For customer-managed CMKs with KMS-generated key material, this is easy to enforce. You simply have to opt in to a yearly rotation schedule for your CMK. When the CMK is due for rotation, a new backing key is created and marked as the active key for all new requests to protect information. The old backing key remains available for use to decrypt any existing ciphertext values that were encrypted using this key. To rotate CMKs more frequently, you can also call UpdateAlias to point an alias to a new CMK, as described in the next section. The UpdateAlias method works for both customer-managed CMKs and CMKs with imported key material. AWS has found that the frequency of key rotation is highly dependent upon laws, regulations, and corporate policies.