AWS kms documentation change
Summary
Renamed 'custom key store' to 'AWS CloudHSM key store' throughout document, restructured content by replacing 'Do I need a custom key store?' section with reference to external guide, added new 'How do AWS CloudHSM key stores work?' section, and updated terminology in operational descriptions.
Security assessment
Changes are terminological updates and content reorganization without evidence of addressing specific vulnerabilities. The removed requirement list (single-tenant HSM control, immediate key removal, independent auditing) was security-related but replaced by a reference, not removed for security reasons. No vulnerabilities or security incidents are mentioned.
Diff
diff --git a/kms/latest/developerguide/keystore-cloudhsm.md b/kms/latest/developerguide/keystore-cloudhsm.md index 1ed791ff7..05be048ee 100644 --- a//kms/latest/developerguide/keystore-cloudhsm.md +++ b//kms/latest/developerguide/keystore-cloudhsm.md @@ -15 +15 @@ AWS KMS provides full console and API support for creating, using, and managing -**Do I need a custom key store?** +**Do I need an AWS CloudHSM key store?** @@ -17 +17 @@ AWS KMS provides full console and API support for creating, using, and managing -For most users, the default AWS KMS key store, which is protected by [FIPS 140-3 validated cryptographic modules](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4884), fulfills their security requirements. There is no need to add an extra layer of maintenance responsibility or a dependency on an additional service. +To decide whether an AWS CloudHSM key store is right for your requirements, see [Choosing the right key store](./key-store-overview.html#choosing-key-store). @@ -19 +19 @@ For most users, the default AWS KMS key store, which is protected by [FIPS 140-3 -However, you might consider creating a custom key store if your organization has any of the following requirements: +**How do AWS CloudHSM key stores work?** @@ -21 +21 @@ However, you might consider creating a custom key store if your organization has - * You have keys that are explicitly required to be protected in a single tenant HSM or in an HSM that you have direct control over. +Each AWS CloudHSM key store is associated with an AWS CloudHSM cluster in your AWS account. When you connect the AWS CloudHSM key store to its cluster, AWS KMS creates the network infrastructure to support the connection. Then it logs into the key AWS CloudHSM client in the cluster using the credentials of a dedicated crypto user in the cluster. @@ -23 +23 @@ However, you might consider creating a custom key store if your organization has - * You need the ability to immediately remove key material from AWS KMS. +You create and manage your AWS CloudHSM key stores in AWS KMS and create and manage your HSM clusters in AWS CloudHSM. When you create AWS KMS keys in an AWS CloudHSM key store, you view and manage the KMS keys in AWS KMS. But you can also view and manage their key material in AWS CloudHSM, just as you would do for other keys in the cluster. @@ -25 +25 @@ However, you might consider creating a custom key store if your organization has - * You need to be able to audit all use of your keys independently of AWS KMS or AWS CloudTrail. + @@ -26,0 +27 @@ However, you might consider creating a custom key store if your organization has +You can [create symmetric encryption KMS keys](./create-cmk-keystore.html) with key material generated by AWS KMS in your AWS CloudHSM key store. Then use the same techniques to view and manage the KMS keys in your AWS CloudHSM key store that you use for KMS keys in the AWS KMS key store. You can control access with IAM and key policies, create tags and aliases, enable and disable the KMS keys, and schedule key deletion. You can use the KMS keys for [cryptographic operations](./manage-cmk-keystore.html#use-cmk-keystore) and use them with AWS services that integrate with AWS KMS. @@ -28,13 +29 @@ However, you might consider creating a custom key store if your organization has - - -**How do custom key stores work?** - -Each custom key store is associated with an AWS CloudHSM cluster in your AWS account. When you connect the custom key store to its cluster, AWS KMS creates the network infrastructure to support the connection. Then it logs into the key AWS CloudHSM client in the cluster using the credentials of a dedicated crypto user in the cluster. - -You create and manage your custom key stores in AWS KMS and create and manage your HSM clusters in AWS CloudHSM. When you create AWS KMS keys in an AWS KMS custom key store, you view and manage the KMS keys in AWS KMS. But you can also view and manage their key material in AWS CloudHSM, just as you would do for other keys in the cluster. - - - -You can [create symmetric encryption KMS keys](./create-cmk-keystore.html) with key material generated by AWS KMS in your custom key store. Then use the same techniques to view and manage the KMS keys in your custom key store that you use for KMS keys in the AWS KMS key store. You can control access with IAM and key policies, create tags and aliases, enable and disable the KMS keys, and schedule key deletion. You can use the KMS keys for [cryptographic operations](./manage-cmk-keystore.html#use-cmk-keystore) and use them with AWS services that integrate with AWS KMS. - -In addition, you have full control over the AWS CloudHSM cluster, including creating and deleting HSMs and managing backups. You can use the AWS CloudHSM client and supported software libraries to view, audit, and manage the key material for your KMS keys. While the custom key store is disconnected, AWS KMS cannot access it, and users cannot use the KMS keys in the custom key store for cryptographic operations. This added layer of control makes custom key stores a powerful solution for organizations that require it. +In addition, you have full control over the AWS CloudHSM cluster, including creating and deleting HSMs and managing backups. You can use the AWS CloudHSM client and supported software libraries to view, audit, and manage the key material for your KMS keys. While the AWS CloudHSM key store is disconnected, AWS KMS cannot access it, and users cannot use the KMS keys in the AWS CloudHSM key store for cryptographic operations. This added layer of control makes AWS CloudHSM key stores a powerful solution for organizations that require it.