Using AWS KMS at Scale - AWS Key Management Service Best Practices

Using AWS KMS at Scale

As noted earlier, a best practice is to use at least one CMK for a particular class of data. This will help you define policies that scope down permissions to the key and hence the data to authorized users. You may choose to further distribute your data across multiple CMKs to provide stronger security controls within a given data classification.

AWS recommends using envelope encryption to scale your KMS implementation. Envelope encryption is the practice of encrypting plaintext data with a unique data key, and then encrypting the data key with a key encryption key (KEK). Within AWS KMS, the CMK is the KEK. You can encrypt your message with the data key and then encrypt the data key with the CMK. Then the encrypted data key can be stored along with the encrypted message. You can cache the plaintext version of the data key for repeated use, reducing the number of requests to AWS KMS. Additionally, envelope encryption can help to design your application for disaster recovery. You can move your encrypted data as-is between Regions and only have to re-encrypt the data keys with the Region-specific CMKs.

The AWS Cryptographic team has released an AWS Encryption SDK that makes it easier to use AWS KMS in an efficient manner. This SDK transparently implements the low-level details for using AWS KMS. It also provides developers options for protecting their data keys after use to ensure that the performance of their application isn’t significantly affected by encrypting your sensitive data.