At their re:invent 2014 show Amazon launched AWS Key Management Service (KMS), “a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys”. At launch the service supported EBS, S3 and Redshift. Additional support for Elastic Transcoder was added in late November.
KMS provides storage and life cycle management for services that utilise symmetric keys. Jeff Barr provides a number of usage examples in his blog post 'New AWS Key Management Service (KMS)'. The underlying system (which is explained in a Cryptographic Details White Paper) makes use of elliptic curve digital signatures algorithm (ECDSA) and RSA, but the service does not yet offer signing via its API.
KMS is integrated into Amazon’s Identity and Access Management (IAM) service, adding a number of new entries to the IAM console. This means that access to keys, and functions performed on keys, can be controlled using the same types of roles and policies that are used elsewhere in AWS. KMS also integrates into Amazon CloudWatch for monitoring, logging and auditing.
HSMs are used as the trust anchors for KMS, but the bulk of the work is done by software based ‘hardened security appliances’ (HSAs). This allows Amazon to make KMS substantially cheaper than the CloudHSM service that has been available for some time (where customers pay $5,000 up front and $1.88 per hour to get a dedicated SafeNet Luna security appliance). KMS users are charged $1 per key version per month plus $0.3 per 10,000 key requests. Free tier users get 20,000 requests per month. Illustrations for the cost of using KMS with EBS and S3 are provided in the service pricing guide.
The service can optionally take care of automated key rotation (on an annual basis). Over time this will drive up the cost for users of the service as new key versions are created and billed for. That cost is however likely trivial when compared to the usual management and operations issues associated with key rotation.
The system makes use of ‘quorum-based access’ so that:
No single Amazon employee can gain access to customer master keys. Confidentiality of your cryptographic keys is crucial.
There is no word on how keys might be accessed in order to satisfy law enforcement requests or (FISA) court orders beyond the standard ‘Your Content’ section in the AWS agreement:
We may disclose Your Content to provide the Service Offerings to you or any End Users or to comply with any request of a governmental or regulatory body (including subpoenas or court orders).
KMS will offer an attractive middle ground for customers who previously felt that Amazon’s server side encryption was too weak (and that their HSM solution was too expensive). It won’t however help with customers who want to use encryption to prevent intrusion by the US government (or indeed other governments).