Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News AWS Key Management Service Now Supports External Key Stores

AWS Key Management Service Now Supports External Key Stores

AWS recently announced the availability of AWS Key Management Service (AWS KMS) External Key Store (XKS), allowing organizations to store and manage their encryption keys outside the AWS KMS service.

AWS Key Management Service (KMS) is an Amazon Web Services (AWS) managed service. It allows organizations to easily create, manage and control the encryption keys to encrypt their data. The service now supports an external key store, which can be a third-party service or application that can be used to store and manage encryption keys.

When organizations configure AWS KMS External Key Store, they replace the KMS key hierarchy with a new external root of trust. The root keys are now all generated and stored inside an HSM they provide and operate - when AWS KMS needs to encrypt or decrypt a data key; it forwards the request to their vendor-specific HSM.

Sébastien Stormacq, a principal developer advocate at AWS, explains in an AWS News blog post:

All AWS KMS interactions with the external HSM are mediated by an external key store proxy (XKS proxy), a proxy that you provide and manage. The proxy translates generic AWS KMS requests into a format that the vendor-specific HSMs can understand. The HSMs that XKS communicates with is not located in AWS data centers.


To provide customers with a broad range of external key manager options, the AWS KMS Team developed the XKS specification with feedback from several HSM, key management, and integration service providers, including Thales, Entrust, Salesforce, T-Systems, Atos, Fortanix, and HashiCorp. 

James Bayer, EVP of R&D at HashiCorp, tweeted:

AWS announced AWS KMS External Key Store. Now store your KMS root key outside of AWS infrastructure and @HashiCorp. Vault is a launch partner. Important for anyone worried about regulatory compliance and controls related to their encryption keys.

In addition, Faiyaz Shahpurwala, chief product and strategy officer at Fortanix, said in a press release:

We’re thrilled to work with AWS as they launch AWS KMS External Key Store to global enterprise customers that are subject to regulatory and compliance requirements. We believe this will give customers more choice and control over their key management lifecycle while leveraging the best-in-class benefits provided by AWS.

Lastly, pricing-wise, AWS KMS charges $1 per root key per month, no matter where the key material is stored, on KMS, on CloudHSM, or the organization’s own on-premises HSM. Furthermore, additional details about the external key store are available in the FAQs.

About the Author

Rate this Article