Certified Security - Specialty

Sign Up Free or Log In to participate!

Do we need master key for each aws resource

Do we need master key for each aws resource like S3, EC2 ETC


No…. You have have a single Master Key and it will be used to encrypt a data key that is assigned for each resource. So, the resource gets encrypted with the data key stored with the resource and the data key can only be decrypted with the master key that is stored in KMS.


Thanks. It will help do right pricing.


so no you don’t, but there is a condition you can set on your KMS policy (think like bucket policy for KMS) that can make so your KMS key can only be used for one service. That condition is the kms:ViaService condition on your key policy. I got a question on Whiz Labs about it so just something to keep in mind.

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?