Additional service durability for keys generated by the service is provided by the use of offline HSMs, multiple nonvolatile storage of exported domain tokens, and redundant storage of encrypted KMS keys. The offline HSMs are members of the existing domains. With the exception of not being online and participating in the regular domain operations, the offline HSMs appear identically in the domain state as the existing HSM members.
The durability design is intended to protect all KMS keys in a Region should AWS experience a wide-scale loss of either the online HSMs or the set of KMS keys stored within our primary storage system. AWS KMS keys with imported key material are not included under the durability protections afforded other KMS keys. In the event of a Regionwide failure in AWS KMS, imported key material may need to be reimported into a KMS key.
The offline HSMs, and the credentials to access them, are stored in safes within monitored safe rooms in multiple independent geographical locations. Each safe requires at least one AWS security officer and one AWS KMS operator, from two independent teams in AWS, to obtain these materials. The use of these materials is governed by internal policy requiring a quorum of AWS KMS operators to be present.
