gosphotodesign - Fotolia
Amazon Web Services recently added support for updating key aliases for its Key Management Service. What are the benefits of using a key alias? Are there any risks associated with key aliases? If so, how can they be mitigated?
Amazon Web Services' Key Management Service enables users to create and manage cryptographic keys used to protect data in AWS.
Encryption keys are generally used within a single region. For example, data encrypted in Amazon's us-west-2 region would be encrypted with a different key than a replicated version of that data stored in us-east-1. This can make it difficult to keep track of keys used to encrypt data across regions. Application code, for example, would have to maintain information about each key-region pairing.
Key aliases alleviate some of the cloud encryption key management burden by allowing administrators to associate a name string with each key. These names -- or aliases -- may be used in multiple regions. Code that runs in multiple regions does not need to manage multiple keys, and can instead refer to a key alias.
Key aliases are useful when rotating keys. Key rotation is a security best practice that mitigates the risk of data leaks due to compromised keys; it serves a similar purpose to changing passwords. If others were to learn an administrative password, they would have access to that account for as long as that password was in place. Similarly, an ex-employee with a copy of an encryption key or someone who has otherwise obtained a copy of one of your encryption keys would have access to all data encrypted with that key.
The recently announced service from AWS enables administrators to update a key alias without first deleting the previous key. This was a shortcoming in previous implementations that required a key alias to be deleted and then recreated with a new key, which left the alias unstable for the period of time between the deleting and recreating operations.
While key aliases are not keys themselves, their names should be protected. Additionally, aliases should be descriptive and easily distinguished from each other so keys are not applied to the wrong data due to an ambiguous or confusing key alias.
Ask the Expert:
SearchCloudSecurity expert Dan Sullivan is ready to answer your application security questions -- submit them now. (All questions are anonymous.)
Don't miss these cloud encryption key management best practices
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading