AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2026-07-13 · Documentation low

File: kms/latest/developerguide/keystore-external.md

Summary

Replaced detailed requirements for external key store usage with a reference to 'Choosing the right key store' documentation

Security assessment

Content reorganization without security implications. Removed operational considerations but didn't address vulnerabilities or add security features.

Diff

diff --git a/kms/latest/developerguide/keystore-external.md b/kms/latest/developerguide/keystore-external.md
index a2b1aad03..34f9ceed5 100644
--- a//kms/latest/developerguide/keystore-external.md
+++ b//kms/latest/developerguide/keystore-external.md
@@ -27,18 +27 @@ External key stores unblock the few use cases for regulated workloads where encr
-For most users, the default AWS KMS key store, which is protected by [FIPS 140-3 Security Level 3 validated hardware security modules](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4884), fulfills their security, control, and regulatory requirements. External key store users incur substantial cost, maintenance, and troubleshooting burden, and risks to latency, availability and reliability.
-
-When considering an external key store, take some time to understand the alternatives, including an [AWS CloudHSM key store](./keystore-cloudhsm.html) backed by an AWS CloudHSM cluster that you own and manage, and KMS keys with [imported key material](./importing-keys.html) that you generate in your own HSMs and can delete from KMS keys on demand. In particular, importing key material with a very brief expiration interval might provide a similar level of control without the performance or availability risks.
-
-An external key store might be the right solution for your organization if you have the following requirements:
-
-  * You are required to use cryptographic keys in your on-premises key manager or a key manager outside of AWS that you control.
-
-  * You must demonstrate that your cryptographic keys are retained solely under your control outside of the cloud.
-
-  * You must encrypt and decrypt using cryptographic keys with independent authorization.
-
-  * Key material must be subject to a secondary, independent audit path.
-
-
-
-
-If you choose an external key store, limit its use to workloads that require protection with cryptographic keys outside of AWS.
+To decide whether an external key store is right for your requirements, see [Choosing the right key store](./key-store-overview.html#choosing-key-store).