gosphotodesign - Fotolia

How do key aliases affect cloud encryption key management?

Amazon Web Services added support for key aliases to help improve enterprise cloud encryption key management. Learn what key aliases are and the benefits they bring to the enterprise.

Amazon Web Services recently added support for updating key aliases for its Key Management Service. What are the benefits of using a key alias? Are there any risks associated with key aliases? If so, how can they be mitigated?

Amazon Web Services' Key Management Service enables users to create and manage cryptographic keys used to protect data in AWS.

Encryption keys are generally used within a single region. For example, data encrypted in Amazon's us-west-2 region would be encrypted with a different key than a replicated version of that data stored in us-east-1. This can make it difficult to keep track of keys used to encrypt data across regions. Application code, for example, would have to maintain information about each key-region pairing.

Key aliases alleviate some of the cloud encryption key management burden by allowing administrators to associate a name string with each key. These names -- or aliases -- may be used in multiple regions. Code that runs in multiple regions does not need to manage multiple keys, and can instead refer to a key alias.

Key aliases are useful when rotating keys. Key rotation is a security best practice that mitigates the risk of data leaks due to compromised keys; it serves a similar purpose to changing passwords. If others were to learn an administrative password, they would have access to that account for as long as that password was in place. Similarly, an ex-employee with a copy of an encryption key or someone who has otherwise obtained a copy of one of your encryption keys would have access to all data encrypted with that key.

The recently announced service from AWS enables administrators to update a key alias without first deleting the previous key. This was a shortcoming in previous implementations that required a key alias to be deleted and then recreated with a new key, which left the alias unstable for the period of time between the deleting and recreating operations.

While key aliases are not keys themselves, their names should be protected. Additionally, aliases should be descriptive and easily distinguished from each other so keys are not applied to the wrong data due to an ambiguous or confusing key alias.

Ask the Expert:
SearchCloudSecurity expert Dan Sullivan is ready to answer your application security questions -- submit them now. (All questions are anonymous.)

Next Steps

Don't miss these cloud encryption key management best practices

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices