Key management is an unsung and underrated issue for encryption in enterprises; a poor understanding of it can lead to major problems. A new Amazon Web Services feature, KMS (Key Management Service), intends to reduce the hassle of managing encryption keys for Amazon resources like EBS or S3, as well as for an enterprise's on-premises resources.
KMS gives an organization a single dashboard from which it can create and manage keys, encrypt data in Amazon applications, and audit key usage. Amazon's blog post announcing KMS states that S3, EBS, and Redshift (Amazon's cloud data-warehousing solution) all encrypt data at rest with KMS, with API calls to KMS logged in AWS CloudTrail.
Amazon claims it has hardened the key management process through a variety of techniques, such as not storing keys on disk or allowing them to persist in memory. A whitepaper published by Amazon provides further details on how the process works and emphasizes many points that security mavens are likely to bring up. No single Amazon employee, for instance, can gain physical access to a customer's master keys or do so without notification, and keys are kept in the same geographic region as its associated data.
KMS's API set can be used to encrypt, decrypt, or re-encrypt data; generate and manage encryption keys; and perform key policy management. It does not, however, let you generate certificates or perform cryptographic signing. Anyone looking to use KMS for those features will have to roll their own implementation at this point.
KMS's pricing is both by key and by activity. Each individual key costs $1 per month, with additional costs for automatic annual key rotation, and every 10,000 key requests costs 3 cents, with 20,000 free requests available per month.
Encryption has a number of points of failure, some of them subtle. KMS covers many of the most obvious, and its documentation mentions one that isn't so apparent: a strong random-number generator. The whitepaper notes that KMS uses "a high-quality source of random numbers," although it doesn't provide further technical details. Amazon may be protecting the customer with this move, but it's hard to have much transparency when placing such implicit trust in a third party. Also, Amazon has so far offered little in the way of tangible detail about how to integrate on-premises applications and storage with KMS.
One clear point emerges after reading KMS's documentation and promotional material: Amazon is positioning KMS as part of a regulatory compliance solution that may be less complex or costly than its existing CloudHSM. Like KMS, the CloudHSM system uses stand-alone hardware appliances to store cryptographic keys, but it costs $5,000 up front plus hourly charges. It should be appealing to startups or small businesses, but mainly if they're committing to Amazon's infrastructure -- at least until more on-premises usage details emerge.