Like most other cloud service providers, Amazon Web Services (AWS) offer their own cloud-native key management service to generate and manage master keys. But the native key management comes with its own shortcomings. Some of the drawbacks are as follows:
- The cloud provider owns the key material, and the key can only be used in one cloud and typically for a single tenant.
- If a master key is deleted, then there is no way to get that key back. Any data encrypted under that key is lost.
- No consistent way of setting fine-grained controls over key management policies across multi-cloud. Customers do not get a single pane of glass for multi-geo and multi-cloud key management. The policy framework and auditing will be different for every cloud.
AWS Native Customer Master Key Management
Fortanix Bring Your Own Key solution for AWS
|Key generation||Key material is owned and generated by AWS KMS.||Key material is owned and generated in the customer- owned external KMS/HSM.|
|Key control||Key material belongs to AWS KMS and cannot be exported by the customers.||Key material belongs to the customer and can be exported if needed.|
|Multi-region/tenant support||Key material is unique to one region and account.||Key material is unique, however, can exist in more than one region and/or AWS accounts concurrently.|
|Disaster recovery||To pull a kill switch, the key will need to be permanently deleted, but then it cannot be restored.||To pull a kill switch, only the key material can be deleted, but then it can be restored on-demand.|
Fortanix Data Security Manager allows organizations to Bring Your Own Key (BYOK) for AWS cloud. With this approach customers bring or import their own master key, which AWS stores in their key management system and encrypts all Data Encryption Keys (DEKs) under that key. This provides customers with greater control over their data and keys.
Fortanix DSM Use Cases for AWS
How does the Solution Work?
- An AWS KMS group is created in the Fortanix DSM account, and this group is configured to interact with the AWS KMS.
- After the AWS group successfully connects to the AWS KMS using the connection details, the keys from the AWS KMS are stored in the Fortanix DSM AWS group as virtual keys. A virtual key is a key whose key material is not present in the AWS group. The key material is stored securely in the AWS KMS