News

AWS Offers 'Bring Your Own Keys' Encryption

• By David Ramel
• 08/17/2016

Security-conscious customers of the Amazon Web Services Inc. (AWS) cloud now have the option of controlling their own encryption keys.

The new capability is an adjunct to the existing fully managed AWS Key Management Service (KMS), wherein AWS takes care of all the details.

"Many AWS customers use KMS to create and manage their keys," said spokesperson Jeff Barr in a recent blog post. "A few, however, would like to maintain local control over their keys while still taking advantage of the other features offered by KMS. Our customers tell us that local control over the generation and storage of keys would help them meet their security and compliance requirements in order to run their most sensitive workloads in the cloud."

AWS is now accommodating those customers with the bring-your-own alternative.

"This allows you to protect extremely sensitive workloads and to maintain a secure copy of the keys outside of AWS," Barr said. "This new feature allows you to import keys from any key management and HSM (Hardware Security Module) solution that supports the RSA PKCS #1 standard, and use them with AWS services and your own applications."

Importing the keys can be done via different means: from the AWS Management Console, the AWS Command Line Interface or through programmatic calls to the KMS API.

Barr goes on to provide a hands-on example of importing the keys with the new service, which is available now in all commercial regions except for China (Beijing), and is also available in the AWS GovCloud (US).