AWS KMS Multi region

Question

Using AWS KMS Encryption SDK - MultipleProviderFactory, multiple CMKs from different region can be combined to single master key provider, the first CMK is used to generate data key, other CMKs just to encrypt the data key. This helps to decrypt using local KMS endpoint.

https://aws.amazon.com/blogs/security/how-to-use-the-new-aws-encryption-sdk-to-simplify-data-encryption-and-improve-application-availability/

Won't it fail if Region of first CMK is down and data key is not generated as the first CMK is the one to generate data key?? Any solution or workaround ??

Answer 1

Based on answer from a different AWS forum by Greg This reply comes from the author of this blog post, Greg:

https://aws.amazon.com/blogs/security/how-to-use-the-new-aws-encryption-sdk-to-simplify-data-encryption-and-improve-application-availability/

"That is correct. If the first region cannot generate the data key, or if any of the other regions cannot encrypt the data key, the encryption will fail. This was an intentional design decision because otherwise you could end up with ciphertext that is not decryptable by all of the expected keys. When decrypting, all that is required is that any one of the master keys is available and capable of decryption.

Greg"

Answer 2

For those who are still looking for this, AWS has released multi region KMS keys. Here is the news.

Here is the excerpt from their documentation.

AWS KMS supports multi-Region keys, which are customer master keys (CMKs) in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions. Each set of related multi-Region keys has the same key material and key ID, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.