AWS KMS and Custom Key Store

This workshop has been deprecated and archived. The new Amazon EKS Workshop is now available at www.eksworkshop.com.

Considerations for your AWS KMS CMK

Before we get to the lab exercise, we wanted to take some time to discuss options for generating your AWS KMS CMK. AWS KMS provides you with two alternatives to store your CMK. Your security requirements may dictate which alternative is suitable for your workloads on Amazon EKS.

There is an AWS Online Tech Talk on Encrypting Secrets in Amazon EKS that dives deep into this topic.

Custom Key Store (CMK stored within AWS CloudHSM)

For most users, the default AWS KMS key store, which is protected by FIPS 140-2 validated cryptographic modules, fulfills their security requirements.

However, you might consider creating a custom key store if your organization has any of the following requirements:

  • The key material cannot be stored in a shared environment.
  • The key material must be subject to a secondary, independent audit path.
  • The hardware security module (HSM) that generates and stores key material must be certified at FIPS 140-2 Level 3.

If any of these requirements apply to you, consider using AWS CloudHSM with AWS KMS to create a custom key store.

Challenge

What level of FIPS 140-2 cryptographic validation does the AWS KMS HSM hold?

Expand here to see the solution

Keep in mind that the KMS Custom Key Store functionality makes use of a minimum of two AWS CloudHSM instances.

Cost

Aside from compliance and security requirements, you may want to consider the cost of using custom key stores. Below you can find a cost comparison between default AWS KMS key store and AWS KMS custom key store for the N. Virginia AWS region (us-east-1). You can find the latest KMS pricing information here.

KMS Default (Monthly Cost)
  • 1 CMK = $1.00
  • 100 requests = $0.00 (free tier of 20,000 requests/month)
  • Total Cost = $1.00
KMS Custom Key Store (Monthly Cost)
  • 1 CMK = $1.00
  • 100 requests = $0.00 (free tier of 20,000 requests/month)
  • 2 CloudHSM Instances = $2,380.80
  • Total Cost = $2,381.80

Now that we have discussed AWS KMS support for custom key stores, let’s move on to the exercise.