Multi-Region keys are a new feature from AWS KMS for client-side applications that makes KMS-encrypted cipher-text portable across Regions. With symmetric multi-Region keys, you can encrypt data in one Region and decrypt it in a different Region.
Use cases
- Disaster recovery: In a backup and recovery architecture, multi-Region keys let you process encrypted data without interruption even in the event of an AWS Region outage. Data maintained in backup Regions can be decrypted in the backup Region, and data newly encrypted in the backup Region can be decrypted in the primary Region when that Region is restored.
- Global data management: Businesses that operate globally need globally distributed data that is available consistently across AWS Regions.
How it is working?
To use multi-Region keys, you create a primary multi-Region key in the main region. Then, you use the primary key to create a related multi-Region replica key in a different Region. Replica keys are KMS keys that can be used independently; they aren’t a pointer to the primary key. The primary and replica keys share only certain properties.
Shared properties:
- Key ID
- Key material
- Key material origin
- Key spec and encryption algorithms
- Key usage
- Automatic key rotation
Independent properties
- Description
- Key policy
- Grants
- Enabled and disabled key states,
- Aliases
- Tags.
Shared properties can only be changed in the primary key and AWS KMS will automatically synchronise with all the replica keys. But if you change the value of an independent property, AWS KMS does not synchronise it.
Security considerations for multi-Region keys
Use an AWS KMS multi-Region key only when you need one. Consider a multi-Region key if you must share, move, or back up protected data across Regions.
- You need to ensure that policy is audited consistently on key across multiple, isolated regions.
- In Single region KMS key data encrypted in one Region can remain completely protected and inaccessible in any other Region. To verify data residency and data sovereignty with multi-Region keys, you need to implement access policies and compile AWS CloudTrail events across multiple Regions.
Limitations
- We cannot change/migrate already existing KMS keys into multi-region keys.
- Once multi-region key is created, it cannot be converted back to single-region key.
