KMS Archives - AWS Security Architect

Single KMS Key per Environment

anuj varma — Mon, 03 Nov 2025 17:19:31 +0000

AWS KMS Key Design – Single CMK per Environment

This summary analyzes the pros and cons of using one customer-managed KMS key (CMK) per environment (for example, one for dev, one for test, and one for prod).

Pros

Simple to operate: Fewer keys to create, tag, monitor, rotate, and back up (if using multi-Region keys).
Lower overhead: Simplified management of key policies, aliases, and grants; easier onboarding for new services (“use the env key”).
Cost control: Fewer customer-managed keys mean fewer monthly key charges and less API activity from key rotation.
Uniform guardrails: Single enforcement point for environment-wide restrictions, such as disallowing cross-account use in production.

Cons

Blast radius: Disabling or deleting the environment key can impact all dependent resources (EBS, RDS, S3, Secrets Manager, etc.).
Least-privilege friction: Difficult to grant narrow permissions to one app without exposing the key to others.
Grant sprawl & policy complexity: Many principals on a shared key lead to long, hard-to-audit policies and increased risk of misconfiguration.
Throughput & quota coupling: All workloads share key usage limits; one busy app can throttle others.
Lifecycle coupling: One app’s needs (e.g., faster rotation, export restrictions) can’t be implemented independently.
Compliance segmentation: Workloads with different regulatory requirements should not share a single key.
Incident response & forensics: Noisy CloudTrail/KMS logs make it harder to trace who used the key for what.
Migration & decommissioning pain: Shared keys complicate workload movement or retirement.

When a Single Environment Key is Reasonable

Small, low-risk workloads with similar data classifications.
Short-lived development or test environments prioritizing simplicity.
Sandbox environments with limited principals and low traffic.

When to Avoid It (Strongly)

Production environments with multiple independent or sensitive workloads.
Mixed regulated and non-regulated data (PCI, HIPAA, CJIS, etc.).
High-throughput workloads that risk hitting shared KMS request quotas.
Teams requiring separate key administrators or duty separation.

Pragmatic Compromise Patterns

Per-workload or per data-class keys per environment: Limits blast radius and clarifies ownership.
Per-service keys for high-volume services: Assign separate CMKs for S3, EBS, RDS, or Secrets Manager where appropriate.
Multi-Region keys for DR: Use per-workload or per-data-class keys, not one global key for all of prod.
Clear aliasing & tagging: Use aliases like alias/appA-prod and tags for Environment, DataClass, and Owner.
Tight policies: Enforce admin boundaries through key policies; use grants for runtime access and avoid broad permissions.
Rotation strategy: Enable annual rotation where needed, rotating keys independently per workload.

Bottom Line

Using a single CMK per environment offers operational simplicity but increases risk and reduces isolation.
For most production scenarios, prefer per-workload or per data-classification keys per environment,
and introduce multi-Region keys only where disaster recovery requires it.

The post Single KMS Key per Environment appeared first on AWS Security Architect.

Dealing with Lost AWS KMS Keys

anuj varma — Wed, 22 Oct 2025 20:08:01 +0000

Also read ‘One KMS Key per application in AWS?’

and

Cross Account KMS Keys in AWS

Q: How Do You Deal with Lost KMS Keys on AWS?

Critical: If a customer-managed KMS key is permanently deleted (after the waiting period), data encrypted under it is unrecoverable—even by AWS Support.

1) Determine What “Lost” Means

Scenario	Description	Possible Recovery
Key disabled	CMK exists but is marked disabled.	Re-enable in console or via CLI.
Scheduled for deletion	Key pending deletion (7–30 days).	Cancel deletion before the window ends.
Deleted	Key and metadata removed after wait period.	Irrecoverable; data lost.
Policy/Access lost	No one can use or manage the key.	Use root user to restore the key policy.
Imported key material lost	You brought your own key material and lost it.	Irrecoverable without a backup of the material.

2) Common Recoveries

Re-enable a Disabled Key

aws kms enable-key --key-id

Cancel a Pending Deletion

aws kms cancel-key-deletion --key-id

Restore Access via Root (Key Policy Fix)

{
  "Sid": "EnableRootAccess",
  "Effect": "Allow",
  "Principal": { "AWS": "arn:aws:iam:::root" },
  "Action": "kms:*",
  "Resource": "*"
}

3) Notes on Key Types

AWS-managed keys (e.g., aws/s3, aws/ebs) are rotated/retained by AWS; you cannot control rotation cadence.
Imported key material is your responsibility—maintain secure offline backups if you import keys.

4) Preventive Measures

Enable CloudTrail logging for KMS API calls.
Limit kms:ScheduleKeyDeletion permissions.
Use aliases and enable automatic rotation for CMKs.
Version-control key policies; review regularly.
Back up imported key material (e.g., HSM or secure vault).

Bottom line: If the deletion grace period has elapsed or imported material is gone without backup, the data cannot be recovered.

The post Dealing with Lost AWS KMS Keys appeared first on AWS Security Architect.

One KMS Key per Application

anuj varma — Wed, 22 Oct 2025 20:07:18 +0000

Also read ‘ Cross Account KMS Keys in AWS

and

Lost KMS Keys in AWS

Q: One KMS Key per Application in AWS?

Short answer: Yes—Especially if each app is a high sensitivity app. Using one KMS key per application is a common, recommended pattern for isolation, access control, auditing, and lifecycle management. It has cost and ops trade-offs.

Why Use One KMS Key per Application

Advantages

Isolation of encryption domains: A compromise or rotation event does not affect other apps.
Granular access control: App-scoped key policies and IAM make least-privilege easier.
Simplified auditing: Per-app CloudTrail logs for encrypt/decrypt.
Simplified key lifecycle: Disable or delete per app without cross-blast.
Compliance readiness: Helpful for HIPAA/PCI/FedRAMP data segregation.

Potential Drawbacks

Aspect	Impact
Cost	$1/month per CMK + API usage costs.
Operational Complexity	More keys = more policies, rotation checks, and audits.
Key Limits	Per-account/regional quotas (request increases if needed).

Typical Design Pattern

Application Type	Recommended Key Strategy
Low-sensitivity apps	Shared key per environment (e.g., `shared-dev-key`, `shared-prod-key`).
Medium-sensitivity apps	One CMK per application (e.g., `kms-key-app-A`).
High-sensitivity / regulated	One CMK per application per environment (e.g., `appA-prod-key`, `appA-dev-key`).

Best Practices

Use aliases (e.g., alias/appA-key).
Enable automatic rotation on customer-managed keys.
Scope IAM permissions tightly to app roles; use grants for temporary cross-account access.
Monitor CloudTrail for Encrypt/Decrypt/ScheduleKeyDeletion.

The post One KMS Key per Application appeared first on AWS Security Architect.

AWS-Managed KMS Keys vs Customer-Managed KMS Keys

anuj varma — Wed, 15 Oct 2025 20:00:53 +0000

AWS-Managed KMS Keys vs Customer-Managed KMS Keys

1. AWS-Managed KMS Keys Managed by AWS

These are keys that AWS creates, owns, and manages on your behalf for use with AWS services.

Key Characteristics

Automatic Creation: Created when you enable encryption for an AWS service (e.g., S3, EBS, RDS) without specifying a key.
Service-Scoped: Tied to the specific AWS service (e.g., aws/s3, aws/ebs).
Managed by AWS: Rotation, deletion, and lifecycle are handled by AWS.
Automatic Rotation: Rotated by AWS every 1 year.
Cost: No monthly key cost; you pay for KMS API requests made with the key (e.g., Encrypt, Decrypt).

Use Cases

Quick enablement of encryption with minimal configuration.
Default choice when fine-grained control is not required.
Workloads without special compliance or custom key policy needs.

Limitations

Limited control: You cannot customize key policies, grants, or rotation beyond AWS defaults.
No cross-account sharing: Generally cannot be shared across accounts.
No custom IAM permissions: Access behaviors are predefined by AWS.

2. Customer-Managed KMS Keys (CMKs) Managed by You

Keys that you create, own, and fully manage within your AWS account.

Key Characteristics

Full Control: Define key policies, IAM permissions, grants, aliases, and rotation.
Cross-Account Use: Share with other AWS accounts via key or resource policies.
Custom Rotation: Enable annual automatic rotation or rotate manually as needed.
Tagging & Auditing: Use tags for cost tracking; get detailed CloudTrail logs.
Lifecycle: Disable or schedule deletion when no longer needed.

Use Cases

Regulatory/compliance scenarios requiring customer control (HIPAA, PCI DSS, FedRAMP).
Cross-account or multi-service integrations needing granular permissions.
BYOK and External Key Store integrations with on-prem or external HSMs.

Limitations

Management overhead: You own policy design, lifecycle, rotation, and deletion.
Cost: Monthly key fee plus KMS API request costs.
Misconfiguration risk: Overly restrictive or permissive policies can break access or increase exposure.

Quick Comparison Table

Feature	AWS-Managed Key	Customer-Managed Key
Created by	AWS (automatically)	You
Control over policies	No	Yes
Automatic rotation	Yes (yearly, AWS-controlled)	Yes (yearly, you can enable/disable)
Cross-account use	No	Yes
Cost	No monthly key cost; pay per API call	Monthly key cost + API usage
Deletion	AWS controlled	You can disable or delete
Logging / CloudTrail	Limited	Full support
Compliance flexibility	Low	High

Summary

Use AWS-managed keys when you want ease of use and minimal overhead and don’t need special compliance controls.

Use customer-managed keys when you need fine-grained access control, cross-account usage, compliance alignment, or BYOK/external key scenarios.

A practical pattern: start with AWS-managed keys for simplicity, and migrate to customer-managed keys for production or compliance-sensitive workloads once governance is in place.

Want examples of IAM and key policies that highlight the differences? I can add copy-pasteable snippets.

The post AWS-Managed KMS Keys vs Customer-Managed KMS Keys appeared first on AWS Security Architect.

KMS Keys – Cross Account Keys in AWS

anuj varma — Mon, 13 Oct 2025 20:13:37 +0000

Also read ‘One KMS key per application?’ and Lost KMS Keys in AWS?

Cross-Account KMS Keys: Pros and Cons

When working with AWS Key Management Service (KMS), it’s common to keep encryption keys in a single, centralized account while allowing other AWS accounts to use those keys. This is called
cross-account KMS key usage, and it requires two layers of permissions:

A key policy in the key-owner’s account that allows the external account to use the key.
IAM policies in the external account that delegate permissions to specific principals to call KMS APIs (e.g., kms:Encrypt, kms:Decrypt).

AWS evaluates both the key policy and the IAM policy. Both must grant the necessary permissions for cross-account use to succeed.

Why Use Cross-Account Keys?

Organizations often want to centralize key management in a single security account, while allowing multiple application or workload accounts to encrypt/decrypt data using those centralized keys. This pattern can simplify auditing and compliance, and make key rotation or lifecycle management easier.

Pros of Cross-Account KMS Keys

Centralized governance and control
By managing keys in one account, security teams can enforce uniform key policies, rotation schedules, and compliance checks. This helps meet regulatory and organizational requirements.
Simplified auditing
Key usage logs, CloudTrail events, and key policies reside in one place, making it easier to track which accounts are using which keys, and when.
Separation of duties
Application teams in different accounts can use keys without having full administrative control over them, supporting security best practices.
Cost and management efficiency
Instead of creating and rotating keys in every account, you can reuse a single key across multiple accounts, reducing operational overhead.

Cons and Considerations

More complex permissions model
Cross-account KMS requires configuring both key

The post KMS Keys – Cross Account Keys in AWS appeared first on AWS Security Architect.

Centralized KMS Key Management on AWS

anuj varma — Sun, 03 Aug 2025 18:05:34 +0000

AWS KMS CMK Centralization – Can Keys Be Stored Centrally?

Short answer: No, AWS KMS keys (CMKs) cannot be physically stored in a single central account for all workloads to use directly. However, they can be managed and controlled centrally through cross-account access, AWS Organizations integration, and centralized governance patterns.

1. Centralized KMS Key Management Model (Recommended)

You can create and manage all CMKs in a central “Security” or “Key Management” account, while other workload accounts use those keys via cross-account permissions and KMS grants. See this post for details.

How It Works

The central KMS account owns and administers all CMKs.
Workload accounts (Dev, Test, Prod, etc.) are granted access through key policies or grants.
Encryption and decryption operations occur cross-account, but key material never leaves AWS KMS.

arn:aws:kms:us-east-1:111122223333:key/abcd-efgh-1234-5678

Benefits

Centralized governance and unified key rotation policies.
Unified audit trail through AWS CloudTrail in the security account.
Clear separation of duties – security manages, workloads consume.
Reduced risk of key sprawl or inconsistent key usage.

Limitations

Cross-account policies and grants require careful setup.
Some AWS services do not yet support cross-account CMK usage.
KMS API limits still apply per account/region.
Keys are region-bound – must exist in same region as data.

2. AWS Organizations Integration

With AWS Organizations, you can integrate KMS with CloudTrail and Config for organization-wide compliance.

KMS does not automatically replicate or share keys across accounts.
Use explicit cross-account key policies to enable access from member accounts.
Combine with CloudTrail org trails and Config aggregators for unified monitoring.

3. Multi-Region and Multi-Account Design

For workloads spanning multiple regions, use Multi-Region CMKs to replicate key material securely between chosen regions, then apply cross-account access where required.

SecurityAccountA (us-east-1): key-123
  ↳ Multi-Region replica in us-west-2
  ↳ Access granted to AppAccountProd and AppAccountTest

4. When Centralized Keys Don’t Work Well

High-volume encryption workloads (S3, RDS, or EBS at scale) risk throttling on shared keys.
Strict data residency or regional isolation requirements.
Different compliance zones (PCI, HIPAA, GovCloud) needing independent control.

5. Practical Hybrid Pattern

Layer	Pattern	Example
Security/Root Account	Owns master KMS keys and policies	`alias/master-key-org`
Workload Accounts	Use grants for encryption operations	EC2/EBS/S3 workloads
Per-Service Keys	Specific CMKs for heavy services	`alias/s3-prod-key`, `alias/ebs-prod-key`
Automation	Deploy via CloudFormation StackSets or Terraform	KMS key creation and grants per OU

6. Summary Table

Aspect	Supported?	Notes
Central storage of KMS keys		Keys are region-bound and remain within each AWS account
Centralized management of keys		Use cross-account key policies and grants
Centralized governance and audit		Use CloudTrail, AWS Config, and AWS Organizations
Centralized rotation and admin		Managed through a delegated security account
Multi-Region replication		Supported via Multi-Region CMKs (not automatically shared)

Bottom Line

You cannot export or physically store CMKs centrally in one account, but you can manage and govern them centrally through cross-account access and security account delegation.
This approach provides centralized control while maintaining cryptographic isolation—the actual key material never leaves AWS KMS.

The post Centralized KMS Key Management on AWS appeared first on AWS Security Architect.

AWS KMS CMK Centralization

anuj varma — Thu, 03 Apr 2025 18:06:28 +0000

AWS KMS CMK Centralization – Can Keys Be Stored Centrally?

1. Centralized KMS Key Management Model (Recommended)

You can create and manage all CMKs in a central “Security” or “Key Management” account, while other workload accounts use those keys via cross-account permissions and KMS grants.

How It Works

The central KMS account owns and administers all CMKs.
Workload accounts (Dev, Test, Prod, etc.) are granted access through key policies or grants.
Encryption and decryption operations occur cross-account, but key material never leaves AWS KMS.

arn:aws:kms:us-east-1:111122223333:key/abcd-efgh-1234-5678

Benefits

Centralized governance and unified key rotation policies.
Unified audit trail through AWS CloudTrail in the security account.
Clear separation of duties – security manages, workloads consume.
Reduced risk of key sprawl or inconsistent key usage.

Limitations

Cross-account policies and grants require careful setup.
Some AWS services do not yet support cross-account CMK usage.
KMS API limits still apply per account/region.
Keys are region-bound – must exist in same region as data.

2. AWS Organizations Integration

With AWS Organizations, you can integrate KMS with CloudTrail and Config for organization-wide compliance.

KMS does not automatically replicate or share keys across accounts.
Use explicit cross-account key policies to enable access from member accounts.
Combine with CloudTrail org trails and Config aggregators for unified monitoring.

3. Two Common Architectural Approaches

Organizations typically choose between two main design patterns when implementing centralized key management:

Approach 1: Centralized Account Containing All KMS Keys

A single “Security” or “Key Management” account owns and maintains all CMKs.
All workload accounts (Dev, Test, Prod) access these keys through cross-account policies and grants.
The security team retains full administrative control of key rotation, deletion, and access policies.
Ideal for organizations with strict compliance or separation of duties requirements.

Pros

Strong governance and control from a single account.
Centralized auditing and monitoring.
Fewer keys to manage, simplifying compliance reporting.

Cons

Cross-account setup can be complex and prone to permission errors.
Higher latency and throttling risks for large-scale encryption workloads.
All workloads depend on the availability of the central KMS account.

Approach 2: Each Account Has Its Own Key, Centrally Managed via IAM and Cross-Account Roles

Each workload account owns its own CMKs, but the central security team manages them through IAM roles and automation.
Central administrators assume roles in member accounts to rotate keys, audit policies, or enforce tagging standards.
Allows local autonomy (each account retains ownership) while maintaining organization-wide governance.

Pros

Improved isolation—compromise in one account does not affect others.
Better performance for high-volume encryption workloads (local key usage).
Supports regional and compliance boundaries more easily.
Still allows centralized visibility and control via IAM and automation tools (e.g., AWS Config, CloudFormation StackSets, Terraform).

Cons

More keys to manage across accounts.
Centralized management scripts or roles must be carefully secured.
Requires automation for consistent tagging, rotation, and policy enforcement.

Choosing Between Them

In practice, large organizations often adopt a hybrid model — production and sensitive environments use centralized CMKs for tight control, while development and lower-risk workloads maintain local CMKs managed through IAM-based central governance.

4. Multi-Region and Multi-Account Design

For workloads spanning multiple regions, use Multi-Region CMKs to replicate key material securely between chosen regions, then apply cross-account access where required.

SecurityAccountA (us-east-1): key-123
  ↳ Multi-Region replica in us-west-2
  ↳ Access granted to AppAccountProd and AppAccountTest

5. When Centralized Keys Don’t Work Well

High-volume encryption workloads (S3, RDS, or EBS at scale) risk throttling on shared keys.
Strict data residency or regional isolation requirements.
Different compliance zones (PCI, HIPAA, GovCloud) needing independent control.

6. Practical Hybrid Pattern

Layer	Pattern	Example
Security/Root Account	Owns master KMS keys and policies	`alias/master-key-org`
Workload Accounts	Use grants for encryption operations	EC2/EBS/S3 workloads
Per-Service Keys	Specific CMKs for heavy services	`alias/s3-prod-key`, `alias/ebs-prod-key`
Automation	Deploy via CloudFormation StackSets or Terraform	KMS key creation and grants per OU

7. Summary Table

Aspect	Supported?	Notes
Central storage of KMS keys		Keys are region-bound and remain within each AWS account
Centralized management of keys		Use cross-account key policies and grants
Centralized governance and audit		Use CloudTrail, AWS Config, and AWS Organizations
Centralized rotation and admin

The post AWS KMS CMK Centralization appeared first on AWS Security Architect.