Encryption & Key Management: KMS vs. CloudHSM
In the AWS ecosystem, protecting data at rest is a foundational requirement of the Security Pillar within the Well-Architected Framework. Key management involves the lifecycle of cryptographic keys: creation, rotation, storage, and deletion.
The Analogy: The Safety Deposit Box
Imagine a high-security bank. AWS KMS is like the bank’s universal manager. They handle thousands of safety deposit boxes (your data) and keep the master keys in a secure vault they manage. You just ask them to open your box. AWS CloudHSM is like renting the entire vault room itself. You bring your own locksmith, you hold the only keys to the room, and the bank staff cannot even enter the room to help you if you lose your keys.
Core Concepts: The “What” and “Why”
AWS provides managed services to ensure that even if physical media is stolen or an unauthorized user gains access to a storage layer, the data remains unreadable without the specific cryptographic key.
- KMS (Key Management Service): A managed service that makes it easy to create and control the keys used to encrypt your data. It uses Hardware Security Modules (HSMs) to protect the security of your keys.
- CloudHSM: A cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud with dedicated single-tenant hardware.
Comparison: KMS vs. CloudHSM
| Feature | AWS KMS | AWS CloudHSM |
|---|---|---|
| Tenancy | Multi-tenant (Shared HSM) | Single-tenant (Dedicated Hardware) |
| Standard | FIPS 140-2 Level 2 (Level 3 for some) | FIPS 140-2 Level 3 |
| Management | AWS Managed (Highly Automated) | Customer Managed (Manual Tasks) |
| Integration | Native with 100+ AWS Services | Limited (mostly via custom code/PKCS#11) |
| Cost | Low (Pay per key/request) | High (Hourly fee per HSM instance) |
Decision Matrix: If/Then Scenarios
- If you need to meet strict compliance requiring FIPS 140-2 Level 3, then use CloudHSM.
- If you want seamless integration with S3, EBS, and RDS, then use KMS.
- If you require a solution that is cost-effective and scales automatically, then use KMS.
- If you need to use industry-standard APIs like PKCS#11 or JCE, then use CloudHSM.
Exam Tips: Golden Nuggets
- KMS is Regional: You cannot use a KMS key from us-east-1 to decrypt data in eu-west-1 directly. You must use Multi-Region keys or re-encrypt.
- Key Rotation: AWS managed keys rotate every 3 years. Customer Managed Keys (CMKs) can be configured to rotate every year (or on-demand).
- Envelope Encryption: KMS doesn’t encrypt large files directly. It generates a Data Key. You encrypt data with the Data Key, and KMS encrypts the Data Key with the Master Key.
- Deletion: KMS keys have a mandatory waiting period (7 to 30 days) before deletion to prevent accidental data loss.
Envelope Encryption Flow
KMS provides the Data Key -> Local Encryption -> Store Encrypted Data + Encrypted Data Key
Key Services
- KMS: Multi-tenant, integrated.
- CloudHSM: Single-tenant, FIPS 140-2 L3.
- ACM: SSL/TLS Certificate Manager.
- Secrets Manager: Rotation for DB credentials.
Common Pitfalls
- Assuming KMS keys are global.
- Deleting a key without checking CloudTrail.
- Using CloudHSM for simple S3 encryption.
- Forgetting Key Policies (IAM is not enough).
Quick Patterns
- SSE-S3: Managed by S3 (AES-256).
- SSE-KMS: Audit trails and rotation.
- SSE-C: Customer manages the actual keys.
- Client-Side: Encrypt before uploading.