This article discusses using Cryptomathic’s BYOK and key management service for securely managing cryptographic keys used in AWS applications.
Cryptomathic has been providing high-security cryptographic systems since 1986 to protect data for the banking industry and governments on a global scale. Cryptomathic’s cloud-based AWS BYOK Service has been created to support demand for securely generating and managing BYOK cryptographic keys that are used in numerous AWS cloud services - for a higher level of control over permissions and key life cycles versus allowing AWS to control the entire key management.
Acronyms:
- AWS BYOK Service = Cryptomathic’s subscription service for Bring Your Own Key to the AWS cloud environment.
- AWS KMS = Amazon Web Services Key Management System, which keys are imported into for use by the AWS applications.
Cryptomathic’s Approach to BYOK
There are varied approaches to the concept of “bring your own key.” Historically, Cryptomathic has approached the subject of BYOK along the lines of “manage your own key” (MYOK). This key management approach is designed to enable the user(s) to retain keys and manage them throughout their entire life cycle from creation to destruction as well as keep audit logs for compliance purposes.
With Cryptomathic’s AWS BYOK Service, the keys are generated in dedicated FIPS 140-2 Level 3 HSMs and are then pushed to the AWS KMS for use by the AWS application(s). The service allows users to manage the life cycle of their keys and access secure audit logs for compliance purposes. . The service is subscription based and companies can pay per month or annually for a reduced fee. It is economical for small and occasional applications, but able to scale up to a full-fledged secure key life-cycle management service of an international corporation, bank or government.
Scalable, Durable, and High Availability
The best key management system is one that offers scalability, durability and high availability, which is what Cryptomathic’s AWS BYOK Service does. It is a fully managed service that automatically scales to meet the needs of its user as their use of encryption expands, allowing for multiple keys to be managed and used whenever needed.
Enhanced Security for Peace of Mind
Cryptomathic’s cloud-based key management service is designed in such a way that no one, including employees from AWS can retrieve users’ plaintext keys from the service. To protect the integrity and confidentiality of users’ cryptographic keys, the service utilizes hardware security modules (HSMs) that are validated under FIPS 140-2 Level 3.
Plaintext keys are only made available for use within the secure environment of the cloud HSMs while performing requested cryptographic operations. When importing keys into AWS KMS , the user maintains a secure copy in Cryptomathic’s AWS BYOK Service in case they need to be re-imported or exported.
AWS Applications that Integrate with Cryptomathic’s AWS BYOK Service
Cryptomathic’s AWS BYOK Service gives a higher level of control over the permissions and life cycle of your keys. AWS applications that can be integrated with Cryptomathic’s cloud-based BYOK Service are listed below.
→ AWS Audit Manager |
→ Amazon CodeGuru |
→ Amazon Lookout for Metrics |
→ AWS Application Cost Profiler |
→ Amazon Comprehend |
→ Amazon Lookout for Vision |
→ AWS Application Migration Service |
→ Amazon Connect |
→ Amazon Macie |
→ AWS App Runner |
→ Amazon Connect Customer Profiles |
→ Amazon Managed Blockchain |
→ AWS Backup |
→ Amazon Connect Voice ID |
→ Amazon Managed Service for Prometheus |
→ AWS CloudTrail |
→ Amazon Connect Wisdom |
→ Amazon Managed Streaming for Kafka (MSK) |
→ AWS Code Artifact |
→ Amazon DocumentDB |
→ Amazon Managed Workflows for Apache Airflow (MWAA) |
→ AWS CodeBuild |
→ Amazon DynamoDB |
→ Amazon MemoryDB |
→ AWS Code Pipeline |
→ Amazon EBS |
→ Amazon Monitron |
→ AWS Control Tower |
→ Amazon EC2 Image Builder |
→ Amazon MQ |
→ AWS Database Migration Service |
→ Amazon EFS |
→ Amazon Neptune |
→ AWS Elastic Disaster Recovery |
→ Amazon Elastic Container Registry (ECR) |
→ Amazon Nimble Studio |
→ AWS Elemental MediaTailor |
→ Amazon Elastic Kubernetes Service (EKS) |
→ Amazon Personalize |
→ AWS Glue |
→ Amazon Elastic Transcoder |
→ Amazon QLDB |
→ AWS Glue DataBrew |
→ Amazon ElastiCache |
Amazon Redshift |
→ AWS IoT SiteWise |
→ Amazon OpenSearch |
→ Amazon Rekognition |
→ AWS Lambda |
→ Amazon EMR |
→ Amazon Relational Database Service (RDS) |
→ AWS License Manager |
→ Amazon FinSpace |
→ Amazon Route 53 |
→ AWS Network Firewall |
→ Amazon Forecast |
→ Amazon S3 |
→ AWS Proton |
→ Amazon Fraud Detector |
→ Amazon SageMaker |
→ AWS Secrets Manager |
→ Amazon FSx for Windows File Server |
→ Amazon Simple Email Service (SES) |
→ AWS Snowball |
→ Amazon GuardDuty |
→ Amazon Simple Notification Service (SNS) |
→ AWS Snowball Edge |
→ Amazon HealthLake |
→ Amazon Simple Queue Service (SQS) |
→ AWS Snowcone |
→ Amazon Inspector |
→ Amazon Textract |
→ AWS Snowmobile |
→ Amazon Kendra |
→ Amazon Timestream |
→ AWS Storage Gateway |
→ Amazon Keyspaces (for Apache Cassandra) |
→ Amazon Transcribe |
→ AWS Systems Manager |
→ Amazon Kinesis Data Streams |
→ Amazon Translate |
→ AWS X-Ray |
→ Amazon Kinesis Firehose |
→ Amazon WorkMail |
→ Amazon AppFlow |
→ Amazon Kinesis Video Streams |
→ Amazon WorkSpaces |
→ Amazon Athena |
→ Amazon Lex |
→ Amazon Workspaces’ Web |
→ Amazon Aurora |
→ Amazon Location Service |
|
→ Amazon CloudWatch Synthetics |
→ Amazon Lookout for Equipment |