Certified Security - Specialty

Sign Up Free or Log In to participate!

How does importing your own key material add resiliency in the event of an AWS failure

In the AWS Certified Security course, during the KMS Part 4 lecture, at 04:26, the instructor states that importing your own key material can allow you "to be resilient to AWS failure by storing keys outside AWS."  How is that possible? Didn’t earlier examples show that you cannot use a new key to access data encrypted with a previous key, even if all of the same key material and wrapping code is used? What kind of failure is this contemplating? Thanks!


Good question, the docs don’t go into any detail on this: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html


Another paper says: The durability design is intended to protect all CMKs in a region should AWS experience a wide-scale loss of either the online HSAs, or the set of CMKs stored within our primary storage system. Imported master keys are not included under the durability protections afforded other CMKs. In the event of a regional-wide failure in AWS KMS, imported master keys may need to be reimported. (https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf)

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?