Choose the right type of AWS KMS key to encrypt Amazon RDS and Aurora Global Database

Security is a top priority in any organization. Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks. Amazon Aurora is a fully managed, MySQL- and PostgreSQL-compatible relational database engine. Both RDS and Aurora provide encryption at rest to protect the underlying storage of database instances, automated backups, read replicas, and snapshots, including for multi-Region deployments.

In this post, we walk through the important differences and considerations when deciding on either single-Region or multi-Region AWS Key Management Service (AWS KMS) keys for your Amazon RDS and Aurora global database deployments.

Amazon Aurora Global Database is a feature of Aurora that allows you to create a single, globally distributed database that spans multiple Regions. This provides several benefits for users looking to build highly available and disaster-tolerant applications.

AWS Key Management Service (AWS KMS) allows you to create and control the encryption keys used to secure your data. Aurora-encrypted database clusters use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Aurora DB clusters. After your data is encrypted, Aurora handles the authentication of access and decryption of your data transparently with minimal impact on performance. You don’t need to modify your database client applications to use encryption. AWS KMS also provides different type of keys to encrypt the data at rest for Amazon Relational Database Service (Amazon RDS) and Aurora database environments. Users can weigh the advantages and specific scenarios for utilizing single-Region or multi-Region keys for Aurora and Amazon RDS platforms, including global databases and cross-Region read replicas.

AWS KMS

AWS KMS provides a secure way to manage encryption keys, ensuring that only authorized users have access to the keys needed to decrypt data. The following are some of the benefits of using AWS KMS:

• Compliance – AWS KMS enables you to comply with various regulatory requirements for data encryption and key management
• Integration – AWS KMS integrates with other AWS services, such as Amazon Simple Storage Service (Amazon S3) and Amazon RDS, to provide encryption for data stored in these services
• Ease of use – AWS KMS provides a simple and easy-to-use interface for creating and managing encryption keys
• Auditing – AWS KMS provides an audit trail of all key management activities, allowing users to track who accessed their keys and when
• Centralized control – AWS KMS allows you to centrally manage and control all of your encryption keys, making it easy to rotate keys or revoke access as needed

There are three types of KMS keys:

• Customer managed keys
• AWS managed keys
• AWS owned keys

With RDS/Aurora, you can use either customer managed or AWS managed keys for data at rest encryption. For an Amazon RDS/Aurora encrypted DB instance, all logs, backups, and snapshots are encrypted. Amazon RDS/Aurora uses an AWS KMS key to encrypt these resources. For more information about KMS keys, see AWS KMS keys in the AWS Key Management Service Developer Guide. If you copy an encrypted snapshot, you can use the same or different KMS key to encrypt the target snapshot.

A read replica of an Amazon RDS encrypted instance must be encrypted using the same KMS key as the primary DB instance when both are in the same AWS Region. If the primary DB instance and read replica are in different AWS Regions, you encrypt the read replica using the KMS key for that AWS Region.

Let’s focus on the important differences and how these keys work with RDS/Aurora environments.

Customer managed keys

The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.

Multi-Region compared to Single-Region keys

When it has been first launched, AWS KMS has been isolated to a single Region for each implementation, meaning there was no sharing of keys, policies, or audit information across Regions. This Region isolation can assist in meeting security standards and data residency requirements. However, not having the ability to share keys across Regions can pose challenges when data that depends on those keys needs to be moved across Regions. To address this, AWS services that use KMS keys for server-side encryption transparently re-encrypt data on the user’s behalf using the designated KMS keys in the destination Region. In contrast, client-side encryption adds extra complexity and latency for re-encrypting between Regionally-isolated KMS keys. You can also refer to this post for performing SQL database client-side encryption for multi-Region high availability.

Multi-Region keys is a new feature from AWS KMS for client-side applications that makes AWS KMS-encrypted ciphertext portable across Regions. Multi-Region keys are a set of interoperable KMS keys that have the same key ID and key material, and can be replicated to different Regions within the same AWS partition. With symmetric multi-Region keys, data can be encrypted in one Region and decrypted in a different Region. With asymmetric multi-Region keys, encryption, decryption, signing, and verifying messages can be done in multiple Regions.

You can choose from using a single-Region key (which never allows this key to be replicated into other Regions) or a multi-Region key (which allows this key to be replicated into other Regions). You should create these keys before using them in RDS/Aurora. When you create an RDS/Aurora global database, you can choose from KMS keys in your account or enter the Amazon Resource Name (ARN) of a key from a different account.

As of this writing, AWS services that integrate with AWS KMS for encryption at rest or digital signatures currently treat multi-Region keys as though they were single-Region keys. They might re-wrap data moved between Regions.

Multi-Region keys are not global. You create a multi-Region primary key and then replicate it to Regions that you select within an AWS partition. Then you manage the multi-Region key in each Region independently. Neither AWS nor AWS KMS ever automatically creates or replicates multi-Region keys into any Region on your behalf. For customer managed multi-Region keys, AWS manages key rotation for you by replicating the crypto information to another Region during key rotation if enabled. Shared properties are properties of a multi-Region primary key that are shared with its replica keys. All other properties of multi-Region keys are independent properties, including the description, key policy, grants, enabled and disabled key states, aliases, and tags. You can set the same values for these properties on all related multi-Region keys, but if you change the value of an independent property, AWS KMS doesn’t synchronize it.

You must manage each multi-Region key independently, including creating aliases and tags, setting their key policies and grants, and enabling and disabling them selectively. You can use multi-Region keys in all cryptographic operations that you can do with single-Region keys.

Do not use single-Region keys if you plan to use client-side encryption libraries on specific Regions, especially for active/active (read/write on multi-Region) solutions.

Pricing and quotas

Every key in a set of related multi-Region keys counts as one KMS key for pricing and quotas. AWS KMS quotas are calculated separately for each Region of an account. Use and management of the multi-Region keys in each Region count toward the quotas for that Region.

Multi-Region and Single-Region customer managed keys both have a storage fee of $1 per key per month (pro-rated hourly) and fees for API usage against these keys.

AWS managed keys

AWS managed keys are a single-Region key for each service. The default primary key protects your RDS or Aurora database volumes when no other key is defined. When using an Aurora global database, the secondary Region has different keys created and maintained by AWS.

There is no monthly fee, but AWS managed keys charge for API usage (some AWS services pay this fee for you).

AWS managed keys are automatically rotated every year.

Summary

In this post, you learned about different type of AWS KMS keys to encrypt Amazon RDS and Aurora Global Database. For most data security needs, the regional isolation and fault tolerance of regional resources make standard KMS single-Region keys a best-fit solution. However, when you need to encrypt or sign data in client-side applications across multiple Regions, multi-Region keys might be the solution. If you have any questions or comments about this post, use the comments section.

About the Authors

Siva Subramaniam is a Senior Solutions Architect with AWS, and has two decades of IT experience in technical leadership and application and database design. He has helped customers to deploy, migrate databases to Amazon Web Services and innovate with purpose built databases. Siva enjoys playing cricket with his friends and son, doing farming and agriculture-related activities, and learning to cook from his wife.

Robert Daly is a Senior Database Specialist Solutions Architect at AWS, focusing on Amazon RDS, Amazon Aurora, and AWS DMS. He has helped multiple enterprise customers move their databases to AWS, providing assistance on performance and best practices. Robert enjoys helping customers build technical solutions to solve business problems.