{"id":9382,"date":"2021-12-08T00:51:40","date_gmt":"2021-12-08T00:51:40","guid":{"rendered":"https:\/\/blog.cloudthat.com\/?p=9382"},"modified":"2024-06-25T11:06:18","modified_gmt":"2024-06-25T11:06:18","slug":"cloud-trends-2022-aws-kms-multi-region-key","status":"publish","type":"blog","link":"https:\/\/www.cloudthat.com\/resources\/blog\/cloud-trends-2022-aws-kms-multi-region-key","title":{"rendered":"Cloud Trends 2022: AWS KMS Multi-Region key"},"content":{"rendered":"

Recently AWS Introduced a new Feature called AWS KMS Multi-Regions\u00a0Keys that will support replicate keys from One region into another.<\/span>\u00a0<\/span>Using Multi-Regions\u00a0we can easily move the encrypted data from one region to another without having to decrypt and re-encrypt with different keys in each Region.<\/span><\/p>\n

\"\"<\/a><\/p>\n

Table of Contents<\/h2>\n

Multi-Region Key<\/a><\/h1>\n

Primary Key<\/a><\/h1>\n

Replica Key<\/a><\/h1>\n

Replicate<\/a><\/h1>\n

KMS Multi-Region Key Creation<\/a><\/h1>\n

Encrypting EBS Snapshots<\/a><\/h1>\n

Changing Replica key to Primary key<\/a><\/h1>\n

KMS Key Rotation<\/a><\/h1>\n

Conclusion<\/a><\/h1>\n

Multi-Region Key<\/h1>\n

An AWS regional key can be either symmetric or asymmetric, and it can be generated from AWS KMS key material or imported key material. A custom key store cannot create regional keys. In AWS Multi-Region Key, a set of KMS keys have the same key ID and key material (and other properties) in different AWS Regions.\u00a0Therefore, each KMS key is fully functional and equally usable in any AWS Region.\u00a0Furthermore, each related multi-Region key\u00a0can\u00a0decrypt ciphertext encrypted by any related multi-Region key since they all share a key ID and key material.<\/span>\u00a0<\/span><\/p>\n

To\u00a0migrate existing workloads to\u00a0multi-Region\u00a0scenarios, you must re-encrypt data or create new signatures with new\u00a0multi-Region\u00a0keys. Once you create a key with a multi-Region property set, this property cannot be changed. Multiple sets of related multi-Region keys can exist in the same or different AWS Regions. While related multi-region keys are interoperable, unrelated multi-region keys are not.<\/span>\u00a0<\/span><\/p>\n

Primary Key<\/h1>\n

In AWS, a multi-Region primary key means a set of keys can be replicated within different AWS Regions in the same partition. A multi-Region key has only one primary key. Primary keys are not required to be replicated. You can use them just like any other KMS key and replicate them when necessary. However,\u00a0<\/span>we\u00a0<\/span>recommen<\/span>d<\/span>\u00a0creat<\/span>ing<\/span>\u00a0a multi-Region key since they have different security properties than single-Region keys.<\/span><\/span>\u00a0<\/span><\/p>\n

Replica Key<\/h1>\n

Multi-Region replica keys have the same key ID and key material as their primary keys and related replica keys but\u00a0are located in\u00a0a different AWS Regions. Unlike the primary key and all related replica keys, a replica key is a fully functional KMS key with its own policy, grants, alias, tags, and other properties. A replica key may be used even if the primary key and all related replica keys are disabled. You can convert a primary key to a replica key and a replica key to a primary key.<\/span>\u00a0<\/span><\/p>\n

Replica Key is different from Primary key as follows,<\/span>\u00a0<\/span><\/p>\n

    \n
  1. Only Primary Key can be replicated.<\/span>\u00a0<\/span><\/li>\n
  2. Primary keys are the source of shared properties of their replica keys, such as key IDs and key materials.<\/span>\u00a0<\/span><\/li>\n
  3. Automatic key rotation can be enabled or disabled only on primary keys.<\/span>\u00a0<\/span><\/li>\n
  4. Primary keys can be scheduled for deletion at any time. However, AWS KMS will not delete a primary key until all its replica keys have been deleted.<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

    \u00a0<\/span>Despite this, primary and replica keys\u00a0do not\u00a0differ in any cryptographic properties. They can be used interchangeably.<\/span>\u00a0<\/span><\/p>\n

    Replicate<\/h1>\n

    It is possible to\u00a0<\/span><\/span>replicate<\/span><\/span>\u00a0a multi-Region primary key into a different AWS Region in the same partition. When you replicate the primary key into a replica key, AWS KMS creates a multi-Region replica key in the specified Region with the same key ID and other shared properties as its primary key.<\/span><\/span>\u00a0<\/span><\/p>\n

    KMS Multi-Region Key Creation<\/h1>\n

    Now we are going to see how AWS KMS Multi-Region work using the following example:<\/span>\u00a0<\/span><\/p>\n

    1.Go to\u00a0the\u00a0AWS Console, and select KMS from the AWS Service List, then click on Create a Key.\"\"<\/a><\/span><\/p>\n

    2. Select the Symmetric key and click Advanced Options<\/span>.\u00a0\u00a0<\/span><\/span><\/span><\/p>\n

    \"\"<\/a><\/p>\n

    3. Select KMS and Mult-Region-Key from the list and click on Next<\/span>.<\/span><\/span>\u00a0<\/span><\/span><\/span><\/p>\n

    \"\"<\/a><\/p>\n

    4. Provide the Alias Name and Description in the respective field<\/span>.<\/span><\/span>\u00a0<\/span><\/span><\/span><\/p>\n

    \"\"<\/a><\/p>\n

    5. Give Appropriate Tags and click on Next<\/span><\/span>\u00a0<\/span><\/span><\/span><\/p>\n

    \"\"<\/a><\/p>\n

    6. Now you need to provide the\u00a0<\/span>IAM (Identity and Access Management)<\/span>\u00a0users and roles who can administer this key through the KMS API. You may need to add additional permissions for the users or roles to administer this key from this console.<\/span><\/span>\u00a0<\/span><\/span><\/span><\/p>\n

    \"\"<\/a><\/p>\n

    7.\u00a0 You can select the\u00a0<\/span>Allow key administrators to delete this key\u00a0<\/span><\/i>option if you want to allow your Administrators to delete the key which you are creating and click on Next.<\/span>\u00a0<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    8. Now you can Define the key usage permissions. By choosing this option you can select the IAM users and roles that can use the KMS key in cryptographic operations.<\/span>\u00a0<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    9. If you want to specify this key with other AWS Accounts, you can add the AWS Account ID in the below section, (I am not using this option in this Demo.)<\/span><\/span>\u00a0<\/span><\/span><\/p>\n

    \"\"<\/a><\/p>\n

    10. Now you can Review the KMS Configurations and the key policy.<\/p>\n

    \"\"<\/a><\/p>\n

    \"\"<\/a><\/p>\n

    11. After clicking on Finish, you can see your KMS Key in the KMS key console<\/span><\/span>\u00a0<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    \u00a0<\/span>\u00a0<\/span><\/p>\n

    Encrypting EBS Snapshots<\/h1>\n

    Now I am going to copy an AMI from the Mumbai region to Tokyo region after encrypting the EBS Snapshots by using the key which we created earlier.<\/span>\u00a0<\/span><\/p>\n

    1.\u00a0<\/span>Go to the EC2 Console and select the AMIs section Under Images. Now select the AMI which you want to encrypt.<\/span>\u00a0<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    2. Now click on Actions and select the Copy AMI option<\/span>.<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    3.\u00a0 I have Selected Destination Region as\u00a0<\/span><\/span>Tokyo\u00a0<\/span><\/span>and select the<\/span><\/span>\u00a0Encrypt target EBS snapshots<\/span><\/span>\u00a0option.\u00a0<\/span><\/span>But I am not able to see the Key which we created earlier. For that, we need to Replicate our Primary Key from Mumbai to Tokyo Region.<\/span>\u00a0<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    4. Go back to the KMS Console and select the key which we created earlier, then select the Regionality option.<\/p>\n

    \"\"<\/a><\/p>\n

    5. Now select the\u00a0<\/span><\/span>Create new replica keys\u00a0<\/span><\/span>option,<\/span><\/span><\/p>\n

    \"\"<\/a><\/p>\n

    6.\u00a0 Now select the Replica Region as Tokyo and click on Next<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    7. Now you can see the current values of the primary key. But you can change them. AWS KMS does\u00a0<\/span><\/span>not<\/span><\/span>\u00a0synchronize any changes to these values.\u00a0<\/span>C<\/span>lick on Next<\/span>.<\/span><\/span><\/p>\n

    \"\"<\/a><\/p>\n

    8. In the next field, we can see the current values of the primary key, but you can change them. AWS KMS does\u00a0<\/span><\/span>not<\/span><\/span>\u00a0synchronize any changes to these values.<\/span><\/span><\/p>\n

    \"\"<\/a><\/p>\n

    9 . This field displays the current values of the primary key, but you can change them. AWS KMS does\u00a0<\/span><\/span>not<\/span><\/span>\u00a0synchronize any changes to these values.<\/span><\/span>\u00a0<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    10. Review the Key Configurations, Policy and Click on Create new replica keys<\/span>.<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    11. Now we can see the Replica key in the Tokyo region.<\/span><\/span><\/p>\n

    \"\"<\/a>\u00a0<\/span><\/p>\n

    12.\u00a0 Now we can go back to the EC2 Dashboard and copy the AMI to the Tokyo region, now we can see our key in the list. Select the key and click on Copy AMI<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

    \"\"<\/a><\/p>\n

    13. After Completing the sharing, you can see the Encrypted EBS Snapshots.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

    \"\"<\/a><\/p>\n

     <\/p>\n

    Changing Replica key to Primary key<\/h1>\n
      \n
    1. We can also change any replica to the primary key. For that, we need to go to the region in which we have the Primary Key,\u00a0then\u00a0select the key and choose the Regionality option and click on Change primary Region.<\/span><\/li>\n<\/ol>\n

      \"\"<\/a><\/span><\/p>\n

      2 . Select the Region from the dropdown menu and click on Change primary Region<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

      \"\"<\/a><\/p>\n

      3. Now you can see the Primary key is converted to the Replica key and the Replica key is converted to the Primary key.<\/p>\n

      \"\"<\/a><\/p>\n

      \u00a0<\/span><\/p>\n

      KMS Key Rotation<\/h1>\n

      \u00a0<\/span><\/span><\/p>\n

      As a best practice,\u00a0you\u00a0can create new KMS keys and then change your applications to use the new ones. You can also enable automatic key rotation for existing KMS keys.<\/span>\u00a0<\/span><\/p>\n

      AWS KMS can generate new cryptographic material for a KMS key every year when you enable automatic key rotation, and it can also keep the key\u2019s older cryptographic material in perpetuity so it can be used to decrypt the data that the key encrypted.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

        \n
      1. To enable key Rotation,\u00a0go\u00a0to the KMS Console, select the\u00a0key (Primary Key), then select the Key rotation option.<\/span><\/li>\n<\/ol>\n

        \"\"<\/a><\/p>\n

        2. Click on Automatically rotate this KMS key every year option and click Save.<\/span><\/span>\u00a0<\/span><\/p>\n

        \"\"<\/a><\/p>\n

        Conclusion<\/h1>\n

        AWS KMS automatically rotates AWS-managed keys every three years.\u00a0<\/span>Multi-Region keys allow\u00a0us\u00a0to move encrypted data between regions without having to decrypt and re-encrypt each one with a different key.\u00a0Please share your valuable feedback in the comment section.\u00a0<\/span>\u00a0<\/span><\/p>\n

        About CloudThat<\/h1>\n

        CloudThat provides end-to-end support with all the AWS services. As a pioneer in the Cloud Computing consulting realm, we are\u00a0 AWS (Amazon Web Services) Advanced Consulting Partner, and Training partner. We are on a mission to build\u00a0a robust\u00a0cloud computing ecosystem by disseminating\u00a0knowledge on technological intricacies within the cloud space. Read more about CloudThat\u2019s Consulting and Expert Advisory here:\u00a0https:\/\/www.cloudthat.com\/expert-advisory\/<\/a><\/p>\n

        References:<\/h1>\n

        https:\/\/aws.amazon.com\/about-aws\/whats-new\/2021\/06\/kms-multi-region-keys\/<\/a><\/p>\n","protected":false},"author":236,"featured_media":0,"parent":0,"comment_status":"open","ping_status":"open","template":"","blog_category":[3606,3607],"user_email":"deepaks@cloudthat.com","published_by":"324","primary-authors":"","secondary-authors":"","acf":[],"_links":{"self":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/9382"}],"collection":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/users\/236"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/comments?post=9382"}],"version-history":[{"count":1,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/9382\/revisions"}],"predecessor-version":[{"id":46124,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog\/9382\/revisions\/46124"}],"wp:attachment":[{"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/media?parent=9382"}],"wp:term":[{"taxonomy":"blog_category","embeddable":true,"href":"https:\/\/www.cloudthat.com\/resources\/wp-json\/wp\/v2\/blog_category?post=9382"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}