1.0 Introduction
Welcome to the Fortanix-Data-Security-Manager (DSM) Amazon Web Services (AWS) Cloud Native Key Management Service (CNKMS) User Guide. This article describes how to perform native key lifecycle management in AWS KMS using Fortanix DSM.
The Fortanix solution for AWS Key Management Service (KMS) offers complete CNKMS, as explained in this article, as well as Bring Your Own Key (BYOK) and Bring Your Own KMS (BYOKMS), with complete lifecycle management for automation.
2.0 Getting Started with Fortanix Cloud Data Control
To understand which solution between CNKMS, BYOK, BYOKMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.
3.0 Fortanix AWS CNKMS Workflows Overview
Generate key: Navigate to a CDC group, select "Generate in AWS", select a supported algorithm type and key size, and click Generate to generate the key in the AWS Key Management Service (KMS) key repository.
Rotate: Rotate the key that was originally generated in AWS KMS by navigating to it in the AWS CDC group. Otherwise, if the source is "Fortanix DSM", refer to the Fortanix DSM - AWS KMS BYOK (Bring Your Own Key).
Disable/Enable: Navigate to the detailed view of the key in the AWS CDC group and disable or enable it from Fortanix DSM.
Schedule/Soft Key Deletion: AWS will not allow you to natively delete a key directly unless you explicitly schedule it for deletion and the mandatory waiting period expires (at least 7 days).
Navigate to the detailed view of the key in the AWS CDC group, and in the AWS KEY DETAILS tab, schedule the key for deletion.
4.0 Fortanix DSM AWS KMS Security Objects
After the AWS CDC group connects to AWS KMS using the provided connection details, the keys from AWS KMS are stored in the Fortanix DSM AWS CDC group as virtual keys. A virtual key is a reference that includes key information and attributes but does not contain the actual key material, which remains securely stored in AWS KMS.
For steps to create an AWS CDC group, refer to AWS CDC Group Setup Guide.
4.1 Create a Key in AWS CDC Group - Generate Key
This action will generate the configured key type in the configured AWS KMS regions directly, and it will be represented as a virtual key in the corresponding AWS CDC group. This means that the virtual key in the AWS CDC group will point to the actual key in AWS KMS that stores the key material of this new key. The virtual key only stores the key information and key attributes, but it does not have the key material.
Perform the following steps to create a new key in Fortanix DSM user interface (UI):
Navigate to the Security Objects menu item in the DSM left navigation bar and click the + button on the Security Objects page to create a new key.
In the Add New Security Object form, do the following:
Enter a name for the Security Object (Key).
Select the This is an HSM/external KMS object check box to filter the groups to show only AWS KMS groups in the Select group list.
In the AWS group list, select the AWS CDC group into which the keys will be generated. The keys will be generated into the region that was selected in the AWS CDC group.
Select the GENERATE IN AWS radio button to initiate the generate key in the AWS workflow.
In the AWS Aliases section, click the ADD ALIAS button to add an alias(es).
In the Choose a type section, select the key type for the new AWS KMS key.
NOTE
The allowed key types for an AWS key generated using the Generate Key workflow are:
AES 256
RSA key pairs: 2048, 3072, or 4096 with public exponent 3 or 65537
EC curve key pairs: NistP256, NistP384, NistP521, or ECC_SECG_P256K1
These key types can further be restricted by setting a cryptographic policy for the account or group. For more details about the crypto policy, refer to User's Guide: Crypto Policy.
Enter the Key size.
Select the permitted key operations under the Key operations permitted section.
In the AWS KMS auto-rotation section, select the check box to automatically rotate the key by specifying the required rotation interval in the input field. By default, the key rotation is set to occur every 90 days, but this can be modified as needed, with a minimum interval of 90 days and a maximum of 2560 days. For more information about this feature, refer to Section 4.2: AWS KMS Auto-Rotation.
Add any key tags if required using ADD TAG button.
Enable the toggle button for Multi-region primary key to create an AWS multi-region primary key. For more details, refer to the Section 4.3: Multi-Region Primary Keys.
Click the GENERATE button to generate the key in AWS.
The new AWS Key is created and represented with a special symbol 
to denote it is of type AWS/KMS. In the detailed view of the AWS key you will notice the following things:
An icon next to the key name indicating if it a multi-region primary key.
The group and region to which it belongs (in the Group field). It also shows if the group is mapped to an AWS or not using the special icon
.How the key was created (in the Created by field). If it is an AWS KMS key, this field shows the group that created this key. It also shows minor details such as if the group is “Connected” or “Not Connected”.
The new key will be added to the Security Objects table.
TIP
You can also access the new key from the Group detailed view from the SECURITY OBJECTS tab.
You can also add a new key from the Group detailed view from the SECURITY OBJECTS tab, click ADD SECURITY OBJECT button, and follow Steps 2-3 above.
4.2 AWS KMS Auto-Rotation
AWS KMS allows you to configure a key rotation policy for keys generated in the AWS KMS keystore ensuring that the rotation is fully managed by AWS KMS while the key material remains exclusively within AWS KMS. This policy is independent of the Fortanix DSM key rotation policy.
You can enable the AWS KMS auto-rotation feature while importing or generating a key in AWS KMS. You can also configure this policy from the key details page in Fortanix DSM. By default, the key rotation is set to occur every 90 days, but this can be modified as needed, with a minimum interval of 90 days and a maximum of 2560 days.
NOTE
Enabling the AWS KMS auto-rotation policy automatically disables the DSM Key rotation policy. At any given time, only one policy can be active, and the key will follow that rotation policy.
To configure DSM’s Key rotation policy, delete the AWS KMS auto-rotation policy by clicking the EDIT button and clearing the check box for rotation.
4.3 Multi-Region Primary Keys
Fortanix DSM allows you to mark an AWS virtual key as a multi-region primary key, enabling the creation of replicas in other AWS KMS regions and making the primary key a multi-region key.
NOTE
Replicas of a multi-region key cannot be created from Fortanix DSM.
Multi-Region keys in AWS KMS are keys located in different AWS Regions that can be used interchangeably. They share the same key material and key ID across regions, allowing encryption in one region and decryption in another without the need for re-encryption or cross-Region calls to AWS KMS. Multi-Region keys support all cryptographic operations available with single-region keys.
Additionally, Fortanix DSM also allows you to rotate the multi-region primary keys in AWS KMS:
Rotation of Multi-region Keys: You can now rotate the multi-region primary keys that were generated or imported into an AWS KMS externally backed DSM group using the ROTATE KEY link available under the key name.
Linked-Key Rotation for Copied Keys: You can rotate a key copied from a normal DSM group to an AWS KMS externally backed DSM group as a multi-region primary key using the Rotate linked keys check box. This will rotate the primary and all replicas in AWS KMS to the new key value.
4.4 Sync Keys
Perform the following steps to edit the AWS connection details:
Go to the AWS group detailed view.
Click the HSM/KMS tab.
Click the SYNC KEYS button to import the new keys.
Fortanix DSM will then connect to AWS, fetch all available keys, and store them as virtual keys.
NOTE
When keys are synced with AWS KMS, the metadata of the existing keys for the configured service account and region are downloaded and represented as virtual keys. The actual key material for those keys is always stored in AWS KMS.
Clicking SYNC KEYS only returns the keys from AWS that are not present in Fortanix DSM. That is, every click will append only new keys to Fortanix DSM.
If some keys were marked as multi-Region primary keys or multi-Region replica keys in AWS KMS before the scan, then clicking SYNC KEYS will identify these keys and mark them as multi-Region primary keys or multi-Region replica keys respectively.
The time taken to sync keys from AWS KMS to Fortanix DSM is a function of the number of keys in the AWS KMS and the network latency between the AWS location and Fortanix DSM. It can take several minutes if there are hundreds of keys and significant network latency.
The AWS CDC groups have a scan limitation. When the AWS KMS region has more than 100 keys, only 100 virtual keys are created during the group scan.
If a key in AWS KMS keystore has auto-rotation feature enabled, the AWS KMS auto-rotation feature will be enabled in the KEY ROTATION tab of the synced virtual key in Fortanix DSM after the sync operation.
4.5 Attributes/Tags Tab
This tab contains all the attributes and tags of the AWS key. A tag serves as an optional metadata label for an AWS resource. You can add new tags using the NEW TAG button and add custom attributes using the ADD CUSTOM ATTRIBUTE button. These custom attributes are user-defined security object attributes that augment the security object's metadata.
4.6 AWS Key Details
This tab displays the information about the AWS Key Aliases, Key ARN for Key ID, and the AWS key policy.
If the AWS virtual key is a multi-region primary key, then the Key ARN section will also display the key ARNs of the replica keys.
If the AWS virtual key is a multi-region replica key, then the Key ARN section will also display the key ARN of the primary key.
The AWS KEY DETAILS tab also contains SCHEDULE KEY DELETION and DELETE KEY MATERIAL options as explained in Section 4.8: Schedule to Delete a Key in AWS KMS and Section 4.10: Delete Key Material in AWS KMS, respectively.
4.7 Security Objects Table View
After you add new AWS keys, navigate to the Security Objects menu item to view all the security objects from all the groups (AWS and non-AWS).
In the table, you will notice that every key belongs to a group and some keys which are virtual keys added from an AWS, belongs to a group with a special symbol 
. The table shows all keys, whether they belong to an AWS CDC group or not.
4.8 Schedule to Delete a Key in AWS KMS
When you delete a key from an AWS KMS, the action removes the actual key from the configured AWS environment, and the key will appear as disabled in the security objects table.
Perform the following steps to delete a key from an AWS KMS:
Navigate to the Security Objects menu item and go to the detailed view of a AWS virtual key and select the AWS KEY DETAILS tab.
Click the SCHEDULE KEY DELETION link button.
In the Schedule Key Deletion in the AWS KMS window, enter a waiting period (in days) to confirm if the AWS key is still needed, ensuring the value falls between 7 to 30 days only.
NOTE
Data encrypted with the key becomes unusable once the key is deleted.
Select the confirmation “I understand that the data encryption with the object can no longer be used once the object is scheduled for deletion.” checkbox.
Click the SCHEDULE KEY DELETE button to mark the key for deletion.
NOTE
You can cancel the key deletion at any time before the waiting period ends using the CANCEL KEY DELETION IN AWS link on the top of the screen in the detailed view of the AWS virtual key.
After the key is permanently deleted from AWS KMS, the Delete Key button is enabled in the detailed view of the virtual key in Fortanix DSM.
4.9 Delete a Key in AWS Group
NOTE
The DELETE KEY option is enabled only when the key is permanently deleted from AWS KMS.
When you delete a key from an AWS CDC group, the action only removes the virtual key in Fortanix DSM and does not delete the actual key in the configured AWS.
Perform the following steps to delete a virtual key:
Select the AWS key that you want to delete.
In the detailed view of the key, scroll down and click the DELETE KEY button.
4.10 Delete Key Material in AWS KMS
When the allowed key types of AES, RSA, or EC are copied into AWS KMS from Fortanix DSM, the key material is stored in two places, the source key in the regular Fortanix DSM group and in the configured AWS KMS for a specific account and region. This key is represented as a virtual key in the AWS CDC group.
A virtual key is only a virtual representation of the actual AWS KMS key that contains the key information and key attributes; however, this virtual key does not contain the key material. Users may want to delete the key material from the configured AWS KMS to maintain a single copy of key material stored securely in the source key in the regular Fortanix DSM group.
NOTE
The Delete Key material feature is enabled only for the following allowed key types that have been externally imported into AWS KMS.
AES 256
RSA key pairs: 2048, 3072, or 4096 with public exponent 3 or 65537
EC curve key pairs: NistP256, NistP384, NistP521, or ECC_SECG_P256K1
The Delete key material feature is visible only for BYOK keys, that is, for keys that were copied from Fortanix DSM.
Perform the following steps to delete the key material of the AWS virtual key:
Go to the detailed view of a virtual key in the AWS CDC group and select the AWS KEY DETAILS tab.
Click the DELETE KEY MATERIAL link to delete the key material in AWS KMS.
In the Delete Key Material in AWS KMS window, select the check box to confirm your understanding about the action.
Click the DELETE KEY MATERIAL button to confirm the action.
The status of the key in the AWS KMS changes to “Pending import”. Select the confirmation “I understand that the data encryption with the object can no longer be used once the object is scheduled for deletion.” checkbox.
After the key material is deleted from AWS KMS, it can be reimported back into AWS KMS to reverse the key material deletion.
Perform the following steps to reimport the key material:
Go to the detailed view of the virtual key and click the REIMPORT KEY MATERIAL link on top of the screen.
The key material is reimported successfully.
5.0 Rotate Key in AWS CDC Group
The following section elaborates on key rotation in an AWS CDC group. A key rotation occurs when you aim to retire an encryption key and substitute it by generating a new cryptographic key.
NOTE
When performing key rotation in AKV, including normal rotation, linked key rotation, or rotate to DSM key, specifying the Azure key name is no longer required. The rotated key automatically inherits the following details from the previous key version:
Azure Key Name
Azure Key Resource ID
Azure Key Version Number
Key Backup Information
5.1 Rotating AWS Native Key* with Another Native Key
*Native key is one where the key material was generated by AWS KMS.
When you rotate a virtual key in an AWS CDC group, the action will rotate the key inside the AWS KMS by generating another new version of the key within the configured AWS KMS in a nested way by moving the key alias from the old key to the new key.
Perform the following steps to rotate a key in AWS:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of an AWS virtual key and click the ROTATE KEY button.
In the KEY ROTATION window, the Generate new key radio button is selected by default.
Click the ROTATE KEY button to rotate a virtual key.
On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
NOTE
The ROTATE KEY button will be disabled if the AWS KMS auto-rotation policy is enabled for the key since the rotation is solely managed by AWS KMS.
A new rotated key is now generated.
5.2 Rotate AWS Native Key to Fortanix DSM Owned Key
When an AWS virtual key whose key material is owned by AWS KMS is rotated, you are given the option to rotate the virtual key with a Fortanix DSM-backed key. When you select this option and perform the rotation, a new virtual key is created, with the corresponding key in AWS KMS, which has the key material of the Fortanix DSM-backed key. As a result, the AWS virtual key is backed by a Fortanix DSM source key and becomes a BYOK key.
Perform the following steps to rotate a virtual key with Fortanix DSM backed key:
Navigate to the Security Objects menu item in the DSM left navigation bar to go to the detailed view of an AWS virtual key and click the ROTATE KEY button.
In the Key Rotation window, the Generate new key radio button is selected by default.
Select the Rotate to DSM key check box.
Select the Fortanix DSM group that contains the source key and then select the required source key from the respective drop down menus.
Click the ROTATE KEY button.
On the next screen, select both the check boxes to confirm your understanding about the action. Click the PROCEED button.
The virtual key has been rotated and is now backed by the source key. To confirm, go to the detailed view of the newly rotated AWS virtual key and click the AWS KEY DETAILS tab. You will notice that the SOURCE field now shows FortanixHSM instead of External.
6.0 AWS KMS Group Setup and BYOK
For details on how to set up an AWS-backed group in Fortanix DSM, refer to the Fortanix DSM - AWS External KMS Setup.
For details on how to perform BYOK key lifecycle management in AWS KMS using Fortanix DSM, refer to the Fortanix DSM - AWS KMS Bring Your Own Key.
7.0 Troubleshooting
This section lists issues along with possible workarounds that you might encounter while performing some operations.
Problem | Solution |
|---|---|
While performing the “sync key” operation, a “400 status code and response error” occurs if the short-term access token expires during the synchronization of a group linked to AWS KMS. | Increase the timeout of the temporary session token beyond the expected duration of the sync key operation. |