AWS Security Blog
Category: AWS Key Management Service
Build a mobile driver’s license solution based on ISO/IEC 18013-5 using AWS Private CA and AWS KMS
A mobile driver’s license (mDL) is a digital representation of a physical driver’s license that’s stored on a mobile device. An mDL is a significant improvement over physical credentials, which can be lost, stolen, counterfeited, damaged, or contain outdated information, and can expose unconsented personally identifiable information (PII). Organizations are working together to use mDLs across […]
Announcing AWS KMS Elliptic Curve Diffie-Hellman (ECDH) support
When using cryptography to protect data, protocol designers often prefer symmetric keys and algorithms for their speed and efficiency. However, when data is exchanged across an untrusted network such as the internet, it becomes difficult to ensure that only the exchanging parties can know the same key. Asymmetric key pairs and algorithms help to solve […]
The curious case of faster AWS KMS symmetric key rotation
Today, AWS Key Management Service (AWS KMS) is introducing faster options for automatic symmetric key rotation. We’re also introducing rotate on-demand, rotation visibility improvements, and a new limit on the price of all symmetric keys that have had two or more rotations (including existing keys). In this post, I discuss all those capabilities and changes. […]
How to migrate asymmetric keys from CloudHSM to AWS KMS
In June 2023, Amazon Web Services (AWS) introduced a new capability to AWS Key Management Service (AWS KMS): you can now import asymmetric key materials such as RSA or elliptic-curve cryptography (ECC) private keys for your signing workflow into AWS KMS. This means that you can move your asymmetric keys that are managed outside of […]
Strengthen the DevOps pipeline and protect data with AWS Secrets Manager, AWS KMS, and AWS Certificate Manager
In this blog post, we delve into using Amazon Web Services (AWS) data protection services such as AWS Secrets Manager, AWS Key Management Service (AWS KMS), and AWS Certificate Manager (ACM) to help fortify both the security of the pipeline and security in the pipeline. We explore how these services contribute to the overall security […]
AWS KMS is now FIPS 140-2 Security Level 3. What does this mean for you?
AWS Key Management Service (AWS KMS) recently announced that its hardware security modules (HSMs) were given Federal Information Processing Standards (FIPS) 140-2 Security Level 3 certification from the U.S. National Institute of Standards and Technology (NIST). For organizations that rely on AWS cryptographic services, this higher security level validation has several benefits, including simpler set up and operation. In […]
Scaling cross-account AWS KMS–encrypted Amazon S3 bucket access using ABAC
This blog post shows you how to share encrypted Amazon Simple Storage Service (Amazon S3) buckets across accounts on a multi-tenant data lake. Our objective is to show scalability over a larger volume of accounts that can access the data lake, in a scenario where there is one central account to share from. Most use […]
Managing permissions with grants in AWS Key Management Service
August 9, 2022: This post has been updated to correct the references on RDS documentation. February 22, 2022: This post has been updated to clarify details of the example KMS grants provided in this blog. AWS Key Management Service (AWS KMS) helps customers to use encryption to secure their data. When creating a new encrypted […]
How US federal agencies can use AWS to encrypt data at rest and in transit
This post is part of a series about how Amazon Web Services (AWS) can help your US federal agency meet the requirements of the President’s Executive Order on Improving the Nation’s Cybersecurity. You will learn how you can use AWS information security practices to meet the requirement to encrypt your data at rest and in […]
Encrypt global data client-side with AWS KMS multi-Region keys
Today, AWS Key Management Service (AWS KMS) is introducing multi-Region keys, a new capability that lets you replicate keys from one Amazon Web Services (AWS) Region into another. Multi-Region keys are designed to simplify management of client-side encryption when your encrypted data has to be copied into other Regions for disaster recovery or is replicated […]