Centralized KMS Key Management on AWS
AWS KMS CMK Centralization – Can Keys Be Stored Centrally?
Short answer: No, AWS KMS keys (CMKs) cannot be physically stored in a single central account for all workloads to use directly. However, they can be managed and controlled centrally through cross-account access, AWS Organizations integration, and centralized governance patterns.
1. Centralized KMS Key Management Model (Recommended)
You can create and manage all CMKs in a central “Security” or “Key Management” account, while other workload accounts use those keys via cross-account permissions and KMS grants. See this post for details.
How It Works
- The central KMS account owns and administers all CMKs.
- Workload accounts (Dev, Test, Prod, etc.) are granted access through key policies or grants.
- Encryption and decryption operations occur cross-account, but key material never leaves AWS KMS.
arn:aws:kms:us-east-1:111122223333:key/abcd-efgh-1234-5678
Benefits
- Centralized governance and unified key rotation policies.
- Unified audit trail through AWS CloudTrail in the security account.
- Clear separation of duties – security manages, workloads consume.
- Reduced risk of key sprawl or inconsistent key usage.
Limitations
- Cross-account policies and grants require careful setup.
- Some AWS services do not yet support cross-account CMK usage.
- KMS API limits still apply per account/region.
- Keys are region-bound – must exist in same region as data.
2. AWS Organizations Integration
With AWS Organizations, you can integrate KMS with CloudTrail and Config for organization-wide compliance.
- KMS does not automatically replicate or share keys across accounts.
- Use explicit cross-account key policies to enable access from member accounts.
- Combine with CloudTrail org trails and Config aggregators for unified monitoring.
3. Multi-Region and Multi-Account Design
For workloads spanning multiple regions, use Multi-Region CMKs to replicate key material securely between chosen regions, then apply cross-account access where required.
SecurityAccountA (us-east-1): key-123 ↳ Multi-Region replica in us-west-2 ↳ Access granted to AppAccountProd and AppAccountTest
4. When Centralized Keys Don’t Work Well
- High-volume encryption workloads (S3, RDS, or EBS at scale) risk throttling on shared keys.
- Strict data residency or regional isolation requirements.
- Different compliance zones (PCI, HIPAA, GovCloud) needing independent control.
5. Practical Hybrid Pattern
| Layer | Pattern | Example |
|---|---|---|
| Security/Root Account | Owns master KMS keys and policies | alias/master-key-org |
| Workload Accounts | Use grants for encryption operations | EC2/EBS/S3 workloads |
| Per-Service Keys | Specific CMKs for heavy services | alias/s3-prod-key, alias/ebs-prod-key |
| Automation | Deploy via CloudFormation StackSets or Terraform | KMS key creation and grants per OU |
6. Summary Table
| Aspect | Supported? | Notes |
|---|---|---|
| Central storage of KMS keys | ❌ | Keys are region-bound and remain within each AWS account |
| Centralized management of keys | ✅ | Use cross-account key policies and grants |
| Centralized governance and audit | ✅ | Use CloudTrail, AWS Config, and AWS Organizations |
| Centralized rotation and admin | ✅ | Managed through a delegated security account |
| Multi-Region replication | ✅ | Supported via Multi-Region CMKs (not automatically shared) |
Bottom Line
You cannot export or physically store CMKs centrally in one account, but you can manage and govern them centrally through cross-account access and security account delegation.
This approach provides centralized control while maintaining cryptographic isolation—the actual key material never leaves AWS KMS.
Leave a Reply