External Key Stores (XKS) now supported in AWS Key Management Service (KMS)

Previously, one of the limitations around AWS Key Management Service (KMS) was that there was no way for you to leverage a 3rd party service or application to store or manage your encryption keys.  This created some hesitation around using AWS KMS, especially for the more security conscious customers that were concerned about regulatory compliance or controls related to their encryption keys.

AWS has reacted to this by launching External Key Stores (XKS), allowing organizations to store and manage their keys outside of the AWS KMS service.  They have launched this product with several key management service providers, including Fortanix and HashiCorp. 

You can read all about the announcement here. It includes a really nice overview of Key Management and Encryption.

This is a nice step forward for the AWK KMS offering, as you’ll now have more control of your encryptions keys if you choose to leverage the service.  Having been inside organizations that are dipping their toes into the cloud, I can recall some pretty heated discussion around encryption key management.  One side of the fence is very protective of the keys and don’t want to hand them over, while the other side of the fence usually argues that if you’re going to trust the hyperscaler with all of your data (including PII or PHI), why are you suddenly hostile when it comes to your encryption keys. 

Those are always fun meetings to be in!  Hopefully, this announcement will allow for a middle ground, where you give you keys to HasiCorp (more trusted than AWS by security folks) and then leverage XMS to smooth operations.