Multi-Region keys in AWS KMS - AWS Key Management Service

Multi-Region keys in AWS KMS

AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.

Like all KMS keys, multi-Region keys never leave AWS KMS unencrypted. You can create symmetric or asymmetric multi-Region keys for encryption or signing, create HMAC multi-Region keys for generating and verifying HMAC tags, and create multi-Region keys with imported key material or key material that AWS KMS generates. You must manage each multi-Region key independently, including creating aliases and tags, setting their key policies and grants, and enabling and disabling them selectively. You can use multi-Region keys in all cryptographic operations that you can do with single-Region keys.

Multi-Region keys are a flexible and powerful solution for many common data security scenarios.

Disaster recovery

In a backup and recovery architecture, multi-Region keys let you process encrypted data without interruption even in the event of an AWS Region outage. Data maintained in backup Regions can be decrypted in the backup Region, and data newly encrypted in the backup Region can be decrypted in the primary Region when that Region is restored.

Global data management

Businesses that operate globally need globally distributed data that is available consistently across AWS Regions. You can create multi-Region keys in all Regions where your data resides, then use the keys as though they were a single-Region key without the latency of a cross-Region call or the cost of re-encrypting data under a different key in each Region.

Distributed signing applications

Applications that require cross-Region signature capabilities can use multi-Region asymmetric signing keys to generate identical digital signatures consistently and repeatedly in different AWS Regions.

If you use certificate chaining with a single global trust store (for a single root certificate authority (CA), and Regional intermediate CAs signed by the root CA, you don't need multi-Region keys. However, if your system doesn't support intermediate CAs, such as application signing, you can use multi-Region keys to bring consistency to Regional certifications.

Active-active applications that span multiple Regions

Some workloads and applications can span multiple Regions in active-active architectures. For these applications, multi-Region keys can reduce complexity by providing the same key material for concurrent encrypt and decrypt operations on data that might be moving across Region boundaries.

You can use multi-Region keys with client-side encryption libraries, such as the AWS Encryption SDK, the AWS Database Encryption SDK, and Amazon S3 client-side encryption.

AWS services that integrate with AWS KMS for encryption at rest or digital signatures currently treat multi-Region keys as though they were single-Region keys. They might re-wrap or re-encrypt data moved between Regions. For example, Amazon S3 cross-region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key.

Multi-Region keys are not global. You create a multi-Region primary key and then replicate it into Regions that you select within an AWS partition. Then you manage the multi-Region key in each Region independently. Neither AWS nor AWS KMS ever automatically creates or replicates multi-Region keys into any Region on your behalf. AWS managed keys, the KMS keys that AWS services create in your account for you, are always single-Region keys.

You cannot convert an existing single-Region key to a multi-Region key. This design ensures that all data protected with existing single-Region keys maintain the same data residency and data sovereignty properties.

For most data security needs, the Regional isolation and fault tolerance of Regional resources make standard AWS KMS single-Region keys a best-fit solution. However, when you need to encrypt or sign data in client-side applications across multiple Regions, multi-Region keys might be the solution.

Regions

Multi-Region keys are supported in all AWS Regions that AWS KMS supports except for China (Beijing) and China (Ningxia).

Pricing and quotas

Every key in a set of related multi-Region keys counts as one KMS key for pricing and quotas. AWS KMS quotas are calculated separately for each Region of an account. Use and management of the multi-Region keys in each Region count toward the quotas for that Region.

Supported KMS key types

You can create the following types of multi-Region KMS keys:

  • Symmetric encryption KMS keys

  • Asymmetric KMS keys

  • HMAC KMS keys

  • KMS keys with imported key material

You cannot create multi-Region keys in a custom key store.

Learn more

Terminology and concepts

The following terms and concepts are used with multi-Region keys.

Multi-Region key

A multi-Region key is one of a set of KMS keys with the same key ID and key material (and other shared properties) in different AWS Regions. Each multi-Region key is a fully functioning KMS key that can be used entirely independently of its related multi-Region keys. Because all related multi-Region keys have the same key ID and key material, they are interoperable, that is, any related multi-Region key in any AWS Region can decrypt ciphertext encrypted by any other related multi-Region key.

You set the multi-Region property of a KMS key when you create it. You cannot change the multi-Region property on an existing key. You cannot convert a single-Region key to multi-Region key or a convert a multi-Region key to a single-Region key. To move existing workloads into multi-Region scenarios, you must re-encrypt your data or create new signatures with new multi-Region keys.

A multi-Region key can be symmetric or asymmetric and it can use AWS KMS key material or imported key material. You cannot create multi-Region keys in a custom key store.

In a set of related multi-Region keys, there is exactly one primary key at any time. You can create replica keys of that primary key in other AWS Regions. You can also update the primary region, which changes the primary key to a replica key and changes a specified replica key to the primary key. However, you can maintain only one primary key or replica key in each AWS Region. All of the Regions must be in the same AWS partition.

You can have multiple sets of related multi-Region keys in the same or different AWS Regions. Although related multi-Region keys are interoperable, unrelated multi-Region keys are not interoperable.

Primary key

A multi-Region primary key is a KMS key that can be replicated into other AWS Regions in the same partition. Each set of multi-Region keys has just one primary key.

A primary key differs from a replica key in the following ways:

However, primary and replica keys don't differ in any cryptographic properties. You can use a primary key and its replica keys interchangeably.

You are not required to replicate a primary key. You can use it just as you would any KMS key and replicate it if and when it is useful. However, because multi-Region keys have different security properties than single-Region keys, we recommend that you create a multi-Region key only when you plan to replicate it.

Replica key

A multi-Region replica key is a KMS key that has the same key ID and key material as its primary key and related replica keys, but exists in a different AWS Region.

A replica key is a fully functional KMS key with it own key policy, grants, alias, tags, and other properties. It is not a copy of or pointer to the primary key or any other key. You can use a replica key even if its primary key and all related replica keys are disabled. You can also convert a replica key to a primary key and a primary key to a replica key. Once it is created, a replica key relies on its primary key only for key rotation and updating the primary Region.

Primary and replica keys don't differ in any cryptographic properties. You can use a primary key and its replica keys interchangeably. Data encrypted by a primary or replica key can be decrypted by the same key, or by any related primary or replica key.

Replicate

You can replicate a multi-Region primary key into a different AWS Region in the same partition. When you do, AWS KMS creates a multi-Region replica key in the specified Region with the same key ID and other shared properties as its primary key. Then it securely transports the key material across the Region boundary and associates it with the new replica key, all within AWS KMS.

Shared properties

Shared properties are properties of a multi-Region primary key that are shared with its replica keys. AWS KMS creates the replica keys with the same shared property values as those of the primary key. Then, it periodically synchronizes the shared property values of the primary key to its replica keys. You cannot set these properties on a replica key.

The following are the shared properties of multi-Region keys.

You can also think of the primary and replica designations of related multi-Region keys as shared properties. When you create new replica keys or update the primary key, AWS KMS synchronizes the change to all related multi-Region keys. When these changes are complete, all related multi-Region keys list their primary key and replica keys accurately.

All other properties of multi-Region keys are independent properties, including the description, key policy, grants, enabled and disabled key states, aliases, and tags. You can set the same values for these properties on all related multi-Region keys, but if you change the value of an independent property, AWS KMS does not synchronize it.

You can track the synchronization of the shared properties of your multi-Region keys. In your AWS CloudTrail log, look for the SynchronizeMultiRegionKey event.