Do we need master key for each aws resource like S3, EC2 ETC
rfoltak
No…. You have have a single Master Key and it will be used to encrypt a data key that is assigned for each resource. So, the resource gets encrypted with the data key stored with the resource and the data key can only be decrypted with the master key that is stored in KMS.
gautamkj_2000
Thanks. It will help do right pricing.
jmjohnson63660
so no you don’t, but there is a condition you can set on your KMS policy (think like bucket policy for KMS) that can make so your KMS key can only be used for one service. That condition is the kms:ViaService condition on your key policy. I got a question on Whiz Labs about it so just something to keep in mind.
No…. You have have a single Master Key and it will be used to encrypt a data key that is assigned for each resource. So, the resource gets encrypted with the data key stored with the resource and the data key can only be decrypted with the master key that is stored in KMS.
Thanks. It will help do right pricing.
so no you don’t, but there is a condition you can set on your KMS policy (think like bucket policy for KMS) that can make so your KMS key can only be used for one service. That condition is the kms:ViaService condition on your key policy. I got a question on Whiz Labs about it so just something to keep in mind.