Amazon Web Services (AWS) Cloud Key Management with Fortanix

Full control over your AWS cloud keys with Fortanix Data Security Manager SaaS.

Download Datasheet

AWS Cloud Key Management Service


Like most other cloud service providers, Amazon Web Services (AWS) offer their own cloud-native key management service to generate and manage master keys. But the native key management comes with its own shortcomings. Some of the drawbacks are as follows:

  • The cloud provider owns the key material, and the key can only be used in one cloud and typically for a single tenant.
  • If a master key is deleted, then there is no way to get that key back. Any data encrypted under that key is lost.
  • No consistent way of setting fine-grained controls over key management policies across multi-cloud. Customers do not get a single pane of glass for multi-geo and multi-cloud key management. The policy framework and auditing will be different for every cloud.

Why Fortanix?

AWS Native Customer Master Key Management

Fortanix Bring Your Own Key solution for AWS

Key generation Key material is owned and generated by AWS KMS. Key material is owned and generated in the customer- owned external KMS/HSM.
Key control Key material belongs to AWS KMS and cannot be exported by the customers. Key material belongs to the customer and can be exported if needed.
Multi-region/tenant support Key material is unique to one region and account. Key material is unique, however, can exist in more than one region and/or AWS accounts concurrently.
Disaster recovery To pull a kill switch, the key will need to be permanently deleted, but then it cannot be restored. To pull a kill switch, only the key material can be deleted, but then it can be restored on-demand.

Fortanix Data Security Manager allows organizations to Bring Your Own Key (BYOK) for AWS cloud. With this approach customers bring or import their own master key, which AWS stores in their key management system and encrypts all Data Encryption Keys (DEKs) under that key. This provides customers with greater control over their data and keys.

byok solution for aws kms

Fortanix DSM Use Cases for AWS

fortanix dsm use cases for aws

How does the Solution Work?

  • An AWS KMS group is created in the Fortanix DSM account, and this group is configured to interact with the AWS KMS.
  • After the AWS group successfully connects to the AWS KMS using the connection details, the keys from the AWS KMS are stored in the Fortanix DSM AWS group as virtual keys. A virtual key is a key whose key material is not present in the AWS group. The key material is stored securely in the AWS KMS

aws kms user guide

AWS Cloud Key Management

Ready to test Fortanix Runtime Encryption?

request a demo
AWS Cloud Key Management