AWS recently introduced AWS KMS MultiRegions Keys, which will allow you to replicate keys from one region to another. Multi-Regions allows us to move encrypted data easily from one region into another without the need to decrypt and reencrypt each Region with different keys.
Table of Contents
KMS Multi-Region Key Creation
Snapshots of Encrypting EBS
Replica key changed to Primary key
KMS Key Rotation
AWS regional keys can be either symmetrical or asymmetric. They can be generated using key material from AWS KMS or imported key material. Regional keys cannot be created by a custom key store. AWS Multi-Region Key allows you to have a set of KMS keys that has the same key ID, key material (and other properties) for different AWS regions. Each KMS key can be used in any AWS Region and is therefore fully functional. Each multi-Region key is able to decrypt encrypted ciphertext from any other multi-Region keys, as they all share the same key ID and key materials.
You must re-encrypt existing workloads or create new signatures using multi-Region keys to migrate them. This property cannot be modified once you have created a key with a multiregional property set. Multiple sets of multi-Region keys that are related can exist in the same or other AWS Regions. Although multi-region keys that are related are interoperable with each other, keys that are not related are not.
A multi-Region primary keys in AWS mean that a set can be replicated within different AWS regions within the same partition. Multi-Region keys have only one primary key. Primary keys do not need to be duplicated. They can be used as any other KMS key, and you can also replicate them if necessary. We recommend that you create a multi-Region Key because they have different security properties to single-Region keys.
Multi-Region replica keys share the same key ID, key material, and location as their primary keys. However, they are located in different AWS regions. A replica key, unlike the primary key and all other replica keys, is a fully functional KMS-key with its own policy and grants, alias tags, and other properties. Even if the primary key is disabled, a replica key can be used. A primary key can be converted to a duplicate key or a replica to a primary one.
As follows, Replica key is different from Primary key.
Only the Primary Key can be duplicated.
Primary keys are the source for shared properties of replica keys’ replica keys, such key IDs and key material.
Only primary keys can enable or disable automatic key rotation.
Primary keys can be scheduled to be deleted at any time. AWS KMS won’t delete a primary key unless all its replica keys are deleted.
However, the cryptographic properties of primary and replica keys are identical. They can be used interchangeably.
It is possible to duplicate a multi-Region primary keys into another AWS Region within the same partition. AWS KMS creates a multiregion replica key in the specified Region by converting the primary key into a duplicate key. It shares the key ID and other properties with its primary key.
KMS Multi-Region Key Creation
We will now see how AWS KMS Multi-Region works using the following example.
1.Go to AWS Console and select KMS from AWS Service List. Click on Create Key.
2. Click Advanced Options and select the Symmetric key.
3. Click on Next to select KMS or Mult-Region Key from the list.
4. In the appropriate field, please enter the Alias Name & Description.
5. Click on Next to add the appropriate tags.
6. You will now need to create the IAM (Identity and Access Management), roles and users that can administer the key via the KMS API. This console may require additional permissions to allow you to administer the key.
7. You can s.