Certified Security - Specialty

Sign Up Free or Log In to participate!

Difference between a backing key and CMK

What is a KMS ‘backing key’. I read the notes about key rotation and CMK, but I took the Security Speciality practice test on the training website, and they asked a question around backing keys, specifically mentioning that AWS managed backing keys are rotated once a year — but AWS managed CMKs are rotated once every 3 years.

1 Answers

It may be the language that was used in the question, but I suspect when they said "AWS-Managed backing keys", they referred to Customer-Managed CMK whose "backing keys" were generated by AWS, rather than strictly a AWS-Managed CMK.

All CMKs, regardless of who manages them, are really logical resources that applications and users use to do cryptographic operations. To perform these operations, cryptographic material needs to exist as it is used in the process to do encryption and decryption of data. This cryptographic material is what is a "backing key".

When a CMK is created, the cryptographic material is either provided by AWS or provided by the customer and represents the first and only "backing key" of the CMK. However, when a CMK is rotated by KMS, new cryptographic material ("backing key") is imported, thus the CMK now must manage 2 "backing keys". For new encryption or re-encryption operations, it will use the new "backing key", but it still needs to hold on to the original "backing key" that was used prior to rotation in order to decrypt data that was encrypted before the rotation. Therefore, while applications and users perform their operations referencing the CMK, underneath that, there may be multiple "backing keys" performing cryptographic operations on different data. I think of a CMK as a logical container of one or more "backing keys", where one "backing key" is the most current.

AWS-Managed CMKs you have no control over and as you mention, those CMKs will generate a new backing key every 3 years.

Customer-Managed CMKs where the "backing key" was generated by AWS can have rotation enabled, those CMKs will generate a new backing key every 1 year.

Customer-Managed CMKs where the "backing key" was generated by the customer cannot be rotated by AWS. If rotation is desired, the customer must manually rotate them.

Keith Rozario

Thanks. Cleared things up.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?