AWS KMS: AWS-Generated vs. Imported Key Material
Describe the differences between imported key material and AWS generated key material.
AWS KMS: AWS-Generated vs. Imported Key Material
This curriculum overview explores the critical technical and operational distinctions between key material generated by AWS Key Management Service (KMS) and material provided by the customer (Bring Your Own Key - BYOK). Understanding these differences is essential for the AWS Certified Security – Specialty (SCS-C03) exam and for designing compliant data protection architectures.
Prerequisites
Before engaging with this module, students should possess the following foundational knowledge:
- AWS KMS Fundamentals: Understanding of Customer Master Keys (CMKs), symmetric vs. asymmetric encryption, and the role of the Key Administrator.
- IAM Policies: Ability to define key policies and grants to control access to cryptographic operations.
- Cryptographic Basics: Familiarity with concepts such as entropy, binary key formats, and public/private key pairs used for wrapping keys.
- S3 Encryption: Basic knowledge of Server-Side Encryption (SSE-KMS) and Data Encryption Keys (DEKs).
Module Breakdown
| Module | Topic | Difficulty | Key Focus |
|---|---|---|---|
| 1 | AWS-Generated Key Material | Beginner | Default behavior, durability, and automatic rotation. |
| 2 | Imported Key Material (BYOK) | Intermediate | The import token process, manual rotation, and expiration. |
| 3 | Architectural Comparison | Advanced | Comparative analysis of availability, compliance, and risk. |
| 4 | Lifecycle Management | Intermediate | Re-importing keys, deletion vs. expiration, and auditing. |
Learning Objectives per Module
Module 1: AWS-Generated Key Material
- Explain why AWS-generated material is the recommended default for most workloads.
- Describe how KMS ensures high availability and durability (99.999999999% durability).
- Identify the limitations of visibility (customers cannot view or export the raw material).
Module 2: Imported Key Material (BYOK)
- Detail the step-by-step process of importing material using a public key and import token.
- Understand the requirement for keys to be in binary format before encryption.
- Define the security implications of managing key durability outside of the AWS ecosystem.
Module 3: Architectural Comparison
- Compare Automatic Rotation (AWS-managed) vs. Manual Rotation (Customer-managed).
- Analyze the impact of key material expiration on CMK usability.
Success Metrics
To demonstrate mastery of this topic, the learner must be able to:
- Differentiate Rotation Methods: Correctly identify that imported key material cannot use AWS automatic rotation (365-day cycle).
- Explain the Import Workflow: Describe how a wrapping key is used to protect material during transit into KMS.
- Manage Availability Risks: Explain that if imported material is deleted or expires, the CMK becomes unusable until the exact same material is re-imported.
- Select Based on Compliance: Choose between AWS-managed and Imported material based on regulatory requirements (e.g., FIPS 140-2 Level 3 via Custom Key Stores).
Real-World Application
The Importance of BYOK
In many regulated industries (Finance, Healthcare, Government), organizations must prove that they possess sole control over the entropy used to generate their keys. By using Imported Key Material, organizations can:
- Meet Regulatory Compliance: Adhere to strict "sovereignty" rules where keys must be generated on-premises using a Physical HSM.
- Hybrid Cloud Consistency: Use the same key material across multiple cloud providers or on-premises environments for consistent decryption.
- Granular Expiry: Implement "kill switches" by setting expiration dates on imported material, ensuring data becomes inaccessible after a project ends.
[!WARNING] Using imported key material shifts the responsibility for durability to the customer. If you lose your local copy of the key material and it is deleted from KMS, any data encrypted with that key is permanently lost.
Key Material Import Process
\begin{tikzpicture}[node distance=2cm, auto] \node [draw, rectangle, rounded corners] (client) {Client (On-Prem)}; \node [draw, rectangle, right=of client, xshift=2cm] (kms) {AWS KMS};
\draw [->, thick] (kms) -- node[above] {1. Public Key + Token} (client);
\draw [->, thick] (client) -- node[below] {2. Encrypted Material} (kms);
\node [draw, dashed, below=of client, yshift=1cm, text width=3cm] (gen) {Key Material Generated Locally};
\node [draw, dashed, below=of kms, yshift=1cm, text width=3cm] (store) {Material Stored in CMK};\end{tikzpicture}
Comparison Table
| Feature | AWS-Generated Material | Imported Key Material |
|---|---|---|
| Origin | AWS KMS internally | Customer (External HSM/Source) |
| Availability | Managed by AWS (Multi-AZ) | Managed by Customer (via re-import) |
| Rotation | Automatic (every 365 days) | Manual (User must rotate) |
| Expiration | None (Permanent until deleted) | Optional expiration date |
| Visibility | Never visible to anyone | Visible to customer before import |
| Best Use Case | Standard cloud-native apps | Regulatory compliance/Hybrid Cloud |