AWS announced the availability of the AWS Key Management Service (AWS KMS) External Key Store (XKS), which allows organizations to store and manage their encryption keys outside of the AWS KMS service.

External Key Stores enable the protection of user resources on AWS through the use of cryptographic keys outside of AWS. This advanced feature is designed for regulated workloads that need to protect cryptographic keys stored in an external key management system.

External key stores support AWS’s digital sovereignty promise to give sovereign control over data in AWS, including the ability to encrypt with key material that n;ers own and control outside of AWS.

AWS KMS never interacts directly with an external key manager and cannot create, view, manage, or delete keys. Instead, AWS KMS interacts only with user-provided external key storage software (XKS proxy). Your external key storage proxy mediates all communication between AWS KMS and your external key manager.

External key stores unlock the few use cases for regulated workloads where encryption keys must remain solely under your control and inaccessible to AWS. But it’s a major shift in how you manage cloud-based infrastructure, and a significant shift in the shared responsibility model. For most workloads, the additional operational burden and greater availability and performance risks will outweigh the perceived security benefits of external key stores.

Finally, from a pricing perspective, AWS KMS charges $1 per root key per month, no matter where the keying material is stored – in KMS, in CloudHSM, or in the organization’s own on-premises HSM. In addition, additional details on external key storage are available in the FAQ.