Tech Insights
Why You Should Consider AWS KMS with a Custom Key Store (CloudHSM-backed)
A client recently approached me with a familiar but tricky ask:
They wanted all their cloud-stored data encrypted at rest but not just that. Their requirements included:
- Full control over encryption keys not just AWS controlling them
- The ability to immediately delete key material from AWS KMS
- Independent auditing of key usage outside of CloudTrail
- And, of course, seamless integration with AWS services
Here’s what makes it so effective:
- Key material stays in CloudHSM
- Ensures keys are non-extractable and fully under your control
- Immediate deletion
- You can remove key material instantly by disabling or deleting the HSM
- Independent auditing
- Audit logs and usage can be obtained directly from CloudHSM
- AWS integration
- Uses KMS APIs and integrates with AWS services like any other CMK
According to AWS documentation:
You might consider creating a custom key store if your organization has any of the following requirements: You have keys that are explicitly required to be protected in a single-tenant HSM or in an HSM that you have direct control over. You need the ability to immediately remove key material from AWS KMS. You need to be able to audit all use of your keys independently of AWS KMS or AWS CloudTrail.
