3 min read

Secure BYOK Service for AWS Applications

Secure BYOK Service for AWS Applications

This article discusses using Cryptomathic’s BYOK and key management service for securely managing cryptographic keys used in AWS applications.

Cryptomathic has been providing high-security cryptographic systems since 1986 to protect data for the banking industry and governments on a global scale. Cryptomathic’s cloud-based AWS BYOK Service has been created to support demand for securely generating and managing BYOK cryptographic keys that are used in numerous AWS cloud services - for a higher level of control over permissions and key life cycles versus allowing AWS to control the entire key management.


  1. AWS BYOK Service = Cryptomathic’s subscription service for Bring Your Own Key to the AWS cloud environment.
  2. AWS KMS = Amazon Web Services Key Management System, which keys are imported into for use by the AWS applications.

Cryptomathic’s Approach to BYOK


There are varied approaches to the concept of “bring your own key.” Historically, Cryptomathic has approached the subject of BYOK along the lines of “manage your own key” (MYOK). This key management approach is designed to enable the user(s) to retain keys and manage them throughout their entire life cycle from creation to destruction as well as keep audit logs for compliance purposes. 

With Cryptomathic’s AWS BYOK Service, the keys are generated in dedicated FIPS 140-2 Level 3 HSMs and are then pushed to the AWS KMS for use by the AWS application(s). The service allows users to manage the life cycle of their keys and access secure audit logs for compliance purposes. . The service is subscription based and companies can pay per month or annually for a reduced fee. It is economical for small and occasional applications, but able to scale up to a full-fledged secure key life-cycle management service of an international corporation, bank or government.

Scalable, Durable, and High Availability

The best key management system is one that offers scalability, durability and high availability, which is what Cryptomathic’s AWS BYOK Service does. It is a fully managed service that automatically scales to meet the needs of its user as their use of encryption expands, allowing for multiple keys to be managed and used whenever needed.

Enhanced Security for Peace of Mind

Cryptomathic’s cloud-based key management service is designed in such a way that no one, including employees from AWS can retrieve users’ plaintext keys from the service. To protect the integrity and confidentiality of users’ cryptographic keys, the service utilizes hardware security modules (HSMs) that are validated under FIPS 140-2 Level 3.

Plaintext keys are only made available for use within the secure environment of the cloud HSMs while performing requested cryptographic operations. When importing keys into AWS KMS , the user maintains a secure copy in Cryptomathic’s AWS BYOK Service  in case they need to be re-imported or exported.

New call-to-action

AWS Applications that Integrate with Cryptomathic’s AWS BYOK Service

Cryptomathic’s AWS BYOK Service gives a higher  level of control over the permissions and life cycle of your keys. AWS applications that can be integrated with Cryptomathic’s cloud-based BYOK Service are listed below.

→ AWS Audit Manager

Amazon CodeGuru

Amazon Lookout for Metrics

AWS Application Cost Profiler

Amazon Comprehend

Amazon Lookout for Vision

AWS Application Migration Service

Amazon Connect

Amazon Macie

AWS App Runner

Amazon Connect Customer Profiles

→ Amazon Managed Blockchain

→ AWS Backup

→ Amazon Connect Voice ID

→ Amazon Managed Service for Prometheus

→ AWS CloudTrail

→ Amazon Connect Wisdom

Amazon Managed Streaming for Kafka (MSK)

AWS Code Artifact

Amazon DocumentDB

Amazon Managed Workflows for Apache Airflow (MWAA)

AWS CodeBuild

Amazon DynamoDB

Amazon MemoryDB

AWS Code Pipeline

Amazon EBS

Amazon Monitron

AWS Control Tower

Amazon EC2 Image Builder

Amazon MQ

AWS Database Migration Service

Amazon EFS

Amazon Neptune

AWS Elastic Disaster Recovery

Amazon Elastic Container Registry (ECR)

Amazon Nimble Studio

AWS Elemental MediaTailor

Amazon Elastic Kubernetes Service (EKS)

Amazon Personalize

AWS Glue

Amazon Elastic Transcoder

Amazon QLDB

AWS Glue DataBrew

Amazon ElastiCache

Amazon Redshift

AWS IoT SiteWise

Amazon OpenSearch

Amazon Rekognition

AWS Lambda

Amazon EMR

Amazon Relational Database Service (RDS)

AWS License Manager

Amazon FinSpace

Amazon Route 53

AWS Network Firewall

Amazon Forecast

Amazon S3

AWS Proton

Amazon Fraud Detector

Amazon SageMaker

AWS Secrets Manager

Amazon FSx for Windows File Server

Amazon Simple Email Service (SES)

AWS Snowball

Amazon GuardDuty

Amazon Simple Notification Service (SNS)

AWS Snowball Edge

Amazon HealthLake

Amazon Simple Queue Service (SQS)

AWS Snowcone

Amazon Inspector

Amazon Textract

AWS Snowmobile

Amazon Kendra

Amazon Timestream

AWS Storage Gateway

Amazon Keyspaces (for Apache Cassandra)

Amazon Transcribe

AWS Systems Manager

Amazon Kinesis Data Streams

Amazon Translate


Amazon Kinesis Firehose

Amazon WorkMail

Amazon AppFlow

Amazon Kinesis Video Streams

Amazon WorkSpaces

Amazon Athena

Amazon Lex

Amazon Workspaces’ Web

Amazon Aurora

Amazon Location Service


Amazon CloudWatch Synthetics

Amazon Lookout for Equipment



New call-to-action