KMS vs CloudHSM

AWS Key Management System (KMS) is a managed service that simplifies the creation and control of encryption keys used to secure data. It integrates with many AWS services and provides a centralized control point for your encryption key management.

Customer Master Keys (CMK)

A Customer Master Key (CMK) is the primary resource in AWS KMS. It consists of:

Components

  • Metadata: Includes key ID, creation date, description, and key state

  • Key Material: The actual cryptographic material used for encryption/decryption

Generation Methods

  1. AWS Generated

    • Key material generated by AWS-managed Hardware Security Modules (HSMs)

    • Offers automatic key rotation

    • Provides the highest level of integration with AWS services

  2. Customer Imported

    • Key material generated using customer-owned infrastructure

    • Imported into AWS KMS

    • No automatic key rotation support

  3. CloudHSM Generated

    • Key material generated in AWS CloudHSM cluster

    • Uses KMS custom key store feature

    • Provides additional control over key material

Hardware Security Module (HSM) Options

AWS KMS HSM

  • Shared tenancy model

  • AWS-managed hardware

  • Automatic key rotation capability

  • Integrated with AWS services

  • Automatic key generation

  • Managed by AWS

AWS CloudHSM

  • Dedicated hardware for single customer

  • Customer-managed HSM

  • Full control over underlying hardware

  • Complete control of users, groups, and keys

  • Manual key management required

  • No automatic key rotation

Key Rotation

AWS KMS Automatic Rotation

  • Available for AWS-generated CMKs

  • Occurs annually

  • Preserves key ID and metadata

  • Maintains access policies

Not Supported for:

  • Imported keys

  • Asymmetric keys

  • CloudHSM-generated keys

  • Customer-managed keys

Access Control

Policy Types

  1. Identity-based Policies (IAM Policies)

    • Attached to IAM identities (users, groups, roles)

    • Define permissions across multiple CMKs

  2. Resource-based Policies (Key Policies)

    • Attached directly to CMKs

    • Control access to specific keys

    • Required for all CMKs

Permission Management Methods

  1. Key Policy Only

    • Single document defining full access scope

    • Simplifies access management

    • Recommended for simple use cases

  2. Key Policy with IAM Policies

    • Combined control mechanism

    • Allows centralized IAM management

    • Suitable for enterprise environments

  3. Key Policy with Grants

    • Enables permission delegation

    • Temporary access management

    • Granular control over specific operations

KMS vs Cloud HSM

KMS
Cloud HSM

Shared tenancy of underlying hardware

dedicated HSM

Automatic key rotation

Full control of the underlining hardware

Automatic key generation

Full control of users, groups, keys, etc.

No automatic key rotation.

PreviousDDoSNextFirewall Manager

Last updated

Was this helpful?