How to Truly Control Your Data in the AWS Cloud using AWS XKS (External Key Store)?

DuoKey
4 min readSep 23, 2024

--

DuoKey for AWS XKS advanced encryption.

TL;DR: when using AWS cloud, don’t put all your eggs in the same basket. Use AWS XKS to store and manage your encryption keys outside AWS.

According to Gartner, global spending on public cloud services will increase by 20.4%, reaching a total of $678.8 billion in 2024. This underlines a significant shift towards digital transformation.

Organisations leveraging cloud services like Amazon Web Services (AWS) often find themselves in a predicament concerning data control, security, and legal compliance. These challenges arise because the data, while physically stored in secure AWS data centres, is under the operational control of AWS, which potentially affect the organisation’s ability to fully enforce their own security policies and compliance measures.

The recent massive Snowflake breach highlighted the risks of relying solely on cloud provider ecosystems for security and compliance.

In this article, we explore how organisations can achieve true control over their data while maximising the capabilities of the AWS cloud, looking at AWS KMS External Key Store, or AWS XKS for short.

The Importance of Controlling Encryption Keys

Encryption is the foundation of data security in cloud computing. However, the default encryption services provided by cloud providers like AWS are not enough for organisations with strict data sovereignty and security requirements.

Although AWS default encryption method uses some of the strongest and most secure encryption protocols to encrypt data at rest and in transit, it does not respond to the main challenge, that is, the control of encryption keys.

When keys are managed by the same cloud providers as where the data resides, there are inherent risks of data exposure or misuse. And this is not to mention the risks, yet less common, of data requests by governments under the Cloud Act. Remember, “not your encryption key, not your data”.

Overall, a good rule of thumb in cloud security is not to put all your eggs in the same basket.

Managing Your Keys Outside AWS

A solution to avoid “putting all your eggs in the same basket” is to manage encryption keys outside of the AWS environment. This approach ensures that organisations have full control over their encryption keys and that these keys are never exposed to the cloud provider.

In 2022, AWS launched AWS External Key Store (commonly referred to as AWS XKS) to let organisation encrypt data in most of AWS services with external keys. This service offers a layer of security that enhances control over encryption keys and by extension data security and its sovereignty.

What’s AWS KMS XKS?

AWS XKS encrypts AWS data keys with encryption keys that are stored in secure environment outside of AWS, which remain under the organisation’s exclusive control.

This approach not means that organisation can fully integrate with AWS and its services, without compromise, but they can also:

  • Maintain data sovereignty,
  • Comply with regulatory requirements,
  • Control encryption keys,
  • Protect sensitive data.

DuoKey for AWX XKS

AWS has collaborated with various Hardware Security Modules (HSM) and key management providers to ensure that XKS works smoothly with a range of external solutions, including DuoKey for AWS XKS. Unlike other providers, DuoKey for AWS works in both hardware security modules (HSM) and secure Multi-Party Computation (MPC) deployments on AWS Nitro Systems.

In MPC deployments, the generation of key material occurs in a distributed process, which prevents the exposure of the root key material to any single entity, including the cloud provider. This method overall significantly enhances the security and confidentiality of data stored in the AWS cloud, as it reduce the risk of a single point of compromise and maximise control over encryption keys.

DuoKey for AWS External Key Store (AWS XKS)
DuoKey for AWS External Key Store (AWS XKS)

When an AWS service requests a data encryption key (DEK) to encrypt data at rest, AWS KMS generates a unique DEK and encrypts it using a customer-managed root key. With DuoKey for AWS XKS, the generation of root key material occurs through an MPC process, ensuring that the key material remains protected and confidential.

Conclusion

In conclusion, while AWS and similar cloud services offer tremendous scalability and efficiency, their default encryption measures are not sufficient for organisations that require strict data sovereignty and security. To address this issue, the AWS XKS feature was developed, providing a robust, secure, and compliant way to manage encryption keys externally.

By ensuring that your encryption keys are never in the “same basket” as your data, AWS XKS integration, like DuoKey for AWS XKS, enables organisation to achieve true data sovereignty and security on their own terms, without any compromise.

--

--

DuoKey

DuoKey Key Management Service is based on innovative Multi-Party computation (MPC) that provides advanced encryption services without relying on HSM