Security considerations for multi-Region keys
Use an AWS KMS multi-Region key only when you need one. Multi-Region keys provide a flexible and scalable solution for workloads that move encrypted data between AWS Regions or need cross-Region access. Consider a multi-Region key if you must share, move, or back up protected data across Regions or need to create identical digital signatures of applications operating in different Regions.
However, the process of creating a multi-Region key moves your key material across AWS Region boundaries within AWS KMS. The ciphertext generated by a multi-Region key can potentially be decrypted by multiple related keys in multiple geographic locations. There are also significant benefits to Regionally-isolated services and resources. Each AWS Region is isolated and independent of the other Regions. Regions provide fault tolerance, stability, and resilience, and can also reduce latency. They enable you to create redundant resources that remain available and unaffected by an outage in another Region. In AWS KMS, they also ensure that every ciphertext can be decrypted by only one key.
Multi-Region keys also raise new security considerations:
-
Controlling access and enforcing data security policy is more complex with multi-Region keys. You need to ensure that policy is audited consistently on key across multiple, isolated regions. And you need to use policy to enforce boundaries, instead of relying on separate keys.
For example, you need to set policy conditions on data to prevent payroll teams in one Region from being able to read payroll data for a different Region. Also, you must use access control to prevent a scenario where a multi-Region key in one Region protects one tenant's data and a related multi-Region key in another Region protects a different tenant's data.
-
Auditing keys across Regions is also more complex. With multi-Region keys, you need to examine and reconcile audit activities across multiple Regions to gain a complete understanding of key activities on protected data.
-
Compliance with data residency mandates can be more complex. With isolated Regions, you can ensure data residency and data sovereignty compliance. KMS keys in a given Region can decrypt sensitive data only in that Region. Data encrypted in one Region can remain completely protected and inaccessible in any other Region.
To verify data residency and data sovereignty with multi-Region keys, you need to implement access policies and compile AWS CloudTrail events across multiple Regions.
To make it easier for you to manage access control on multi-Region keys, the
permission to replicate a multi-Region key (kms:ReplicateKey) is separate from
the standard permission to create keys (kms:CreateKey). Also, AWS KMS supports several policy conditions for
multi-Region keys, including kms:MultiRegion
, which allows or denies
permission to create, use, or manage multi-Region keys and
kms:ReplicaRegion
, which restricts the Regions into which a
multi-Region key can be replicated. For details, see Control access to multi-Region keys.