Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News AWS Key Management Service Introduces Multi-Region Keys

AWS Key Management Service Introduces Multi-Region Keys

This item in japanese

AWS has recently announced the availability of KMS multi-region keys, a new feature for client-side applications that makes encrypted data portable across regions.

Once a primary multi-region key with a new ID and material is created in one region, it is possible to create a related multi-region replica one in a different region that can be used independently. The primary and replica keys share the key ID, key rotation, and key origin, making it possible to encrypt data in one region and decrypt it in a different one.


In a separate article that shows how to encrypt global data client-side with AWS KMS multi-region keys, the cloud provider explains the need for the new feature:

From its inception, AWS KMS has been strictly isolated to a single AWS region for each implementation, with no sharing of keys, policies, or audit information across regions. Region isolation can help you comply with security standards and data residency requirements. However, not sharing keys across regions creates challenges when you need to move data that depends on those keys across regions. (...) If you use client-side encryption, this work adds extra complexity and latency of re-encrypting between regionally isolated KMS keys.

Using multi-region keys can help in different data security scenarios such as disaster recovery, global data management, distributed signing applications and active-active applications across multiple regions. Even if it is not a global key but rather an option to replicate keys, the new feature makes multi region deployments easier to manage, as there is no need anymore to decrypt and encrypt again the data as it moves across regions.


The feature has been often requested by the community, and user CeralEnt explains on Reddit how he stumbled upon the change:

I was looking at some KMS keys today and saw the "Regionality" property in the console. And I was sitting there thinking, "Gee, I don't remember keys having the ability to be multi-region. Weird, must have not paid enough attention. Neat.

Other developers focus on the advantages for infrastructure as code and CloudFormation templates:

No more "an alias is as good as a multi-region key!" (...) I spent so much time making sure I was using aliases throughout my CloudFormation templates.

Single-region and multi-region keys are supported in the AWS KMS console, the AWS KMS API, the AWS Encryption SDK, Amazon DynamoDB Encryption Client, and Amazon S3 Encryption Client. Users are charged for all CMKs created and for API requests according to the AWS KMS pricing. Multi-region keys are available in all public AWS regions.


Rate this Article