Certified Security - Specialty

Sign Up Free or Log In to participate!

Customer created CMK, reference document “AWS KMS best Practices” page 9

The document states that that there are two options when creating your own Customer Managed Key 

"For customer-managed CMKs, you have two options for creatingthe underlying key material. When you choose to create a CMK using AWS KMS, you can let KMS create the cryptographic material for you,or you can choose to import your own key material. Both of these options provide you with the same level of control and auditing for the use of the CMK within your environment."

Does this mean that while choosing to create your own key you can import key material of let AWS do it, and this is still a Customer managed key as opposed to the AWS created key?

1 Answers

Hi Alan,

Both Keys the imported one and the AWS created one will be refered to as AWS KMS Customer Master Keys. There is only a difference who generates the key material in the first place, and hence is in control of the original key material.

After you created the key material, encrypted it using the wrapping key and uploaded it to aws using the import token, your self generated key can be used as any AWS created KMS Customer Master Key as well. One difference between an AWS KMS CMK and an imported KMS CMK is the part of key rotation, because AWS isn’t in controll of the key material you must manually rotate the imported CMK.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?