Recently AWS Introduced a new Feature called AWS KMS Multi-Regions Keys that will support replicate keys from One region into another. Using Multi-Regions we can easily move the encrypted data from one region to another without having to decrypt and re-encrypt with different keys in each Region.
Table of Contents
An AWS regional key can be either symmetric or asymmetric, and it can be generated from AWS KMS key material or imported key material. A custom key store cannot create regional keys. In AWS Multi-Region Key, a set of KMS keys have the same key ID and key material (and other properties) in different AWS Regions. Therefore, each KMS key is fully functional and equally usable in any AWS Region. Furthermore, each related multi-Region key can decrypt ciphertext encrypted by any related multi-Region key since they all share a key ID and key material.
To migrate existing workloads to multi-Region scenarios, you must re-encrypt data or create new signatures with new multi-Region keys. Once you create a key with a multi-Region property set, this property cannot be changed. Multiple sets of related multi-Region keys can exist in the same or different AWS Regions. While related multi-region keys are interoperable, unrelated multi-region keys are not.
In AWS, a multi-Region primary key means a set of keys can be replicated within different AWS Regions in the same partition. A multi-Region key has only one primary key. Primary keys are not required to be replicated. You can use them just like any other KMS key and replicate them when necessary. However, we recommend creating a multi-Region key since they have different security properties than single-Region keys.
Multi-Region replica keys have the same key ID and key material as their primary keys and related replica keys but are located in a different AWS Regions. Unlike the primary key and all related replica keys, a replica key is a fully functional KMS key with its own policy, grants, alias, tags, and other properties. A replica key may be used even if the primary key and all related replica keys are disabled. You can convert a primary key to a replica key and a replica key to a primary key.
Replica Key is different from Primary key as follows,
- Only Primary Key can be replicated.
- Primary keys are the source of shared properties of their replica keys, such as key IDs and key materials.
- Automatic key rotation can be enabled or disabled only on primary keys.
- Primary keys can be scheduled for deletion at any time. However, AWS KMS will not delete a primary key until all its replica keys have been deleted.
Despite this, primary and replica keys do not differ in any cryptographic properties. They can be used interchangeably.
It is possible to replicate a multi-Region primary key into a different AWS Region in the same partition. When you replicate the primary key into a replica key, AWS KMS creates a multi-Region replica key in the specified Region with the same key ID and other shared properties as its primary key.
KMS Multi-Region Key Creation
Now we are going to see how AWS KMS Multi-Region work using the following example:
2. Select the Symmetric key and click Advanced Options.
3. Select KMS and Mult-Region-Key from the list and click on Next.
4. Provide the Alias Name and Description in the respective field.
5. Give Appropriate Tags and click on Next
6. Now you need to provide the IAM (Identity and Access Management) users and roles who can administer this key through the KMS API. You may need to add additional permissions for the users or roles to administer this key from this console.
7. You can select the Allow key administrators to delete this key option if you want to allow your Administrators to delete the key which you are creating and click on Next.
8. Now you can Define the key usage permissions. By choosing this option you can select the IAM users and roles that can use the KMS key in cryptographic operations.
9. If you want to specify this key with other AWS Accounts, you can add the AWS Account ID in the below section, (I am not using this option in this Demo.)
10. Now you can Review the KMS Configurations and the key policy.
11. After clicking on Finish, you can see your KMS Key in the KMS key console
Encrypting EBS Snapshots
Now I am going to copy an AMI from the Mumbai region to Tokyo region after encrypting the EBS Snapshots by using the key which we created earlier.
1. Go to the EC2 Console and select the AMIs section Under Images. Now select the AMI which you want to encrypt.
2. Now click on Actions and select the Copy AMI option.
3. I have Selected Destination Region as Tokyo and select the Encrypt target EBS snapshots option. But I am not able to see the Key which we created earlier. For that, we need to Replicate our Primary Key from Mumbai to Tokyo Region.
4. Go back to the KMS Console and select the key which we created earlier, then select the Regionality option.
5. Now select the Create new replica keys option,
6. Now select the Replica Region as Tokyo and click on Next.
7. Now you can see the current values of the primary key. But you can change them. AWS KMS does not synchronize any changes to these values. Click on Next.
8. In the next field, we can see the current values of the primary key, but you can change them. AWS KMS does not synchronize any changes to these values.
9 . This field displays the current values of the primary key, but you can change them. AWS KMS does not synchronize any changes to these values.
10. Review the Key Configurations, Policy and Click on Create new replica keys.
11. Now we can see the Replica key in the Tokyo region.
12. Now we can go back to the EC2 Dashboard and copy the AMI to the Tokyo region, now we can see our key in the list. Select the key and click on Copy AMI.
13. After Completing the sharing, you can see the Encrypted EBS Snapshots.
Changing Replica key to Primary key
- We can also change any replica to the primary key. For that, we need to go to the region in which we have the Primary Key, then select the key and choose the Regionality option and click on Change primary Region.
2 . Select the Region from the dropdown menu and click on Change primary Region.
3. Now you can see the Primary key is converted to the Replica key and the Replica key is converted to the Primary key.
KMS Key Rotation
As a best practice, you can create new KMS keys and then change your applications to use the new ones. You can also enable automatic key rotation for existing KMS keys.
AWS KMS can generate new cryptographic material for a KMS key every year when you enable automatic key rotation, and it can also keep the key’s older cryptographic material in perpetuity so it can be used to decrypt the data that the key encrypted.
- To enable key Rotation, go to the KMS Console, select the key (Primary Key), then select the Key rotation option.
2. Click on Automatically rotate this KMS key every year option and click Save.
AWS KMS automatically rotates AWS-managed keys every three years. Multi-Region keys allow us to move encrypted data between regions without having to decrypt and re-encrypt each one with a different key. Please share your valuable feedback in the comment section.
CloudThat provides end-to-end support with all the AWS services. As a pioneer in the Cloud Computing consulting realm, we are AWS (Amazon Web Services) Advanced Consulting Partner, and Training partner. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Read more about CloudThat’s Consulting and Expert Advisory here: https://www.cloudthat.com/expert-advisory/