Before we get to the lab exercise, we wanted to take some time to discuss options for generating your AWS KMS CMK. AWS KMS provides you with two alternatives to store your CMK. Your security requirements may dictate which alternative is suitable for your workloads on Amazon EKS.
There is an AWS Online Tech Talk on Encrypting Secrets in Amazon EKS that dives deep into this topic.
For most users, the default AWS KMS key store, which is protected by FIPS 140-2 validated cryptographic modules, fulfills their security requirements.
However, you might consider creating a custom key store if your organization has any of the following requirements:
If any of these requirements apply to you, consider using AWS CloudHSM with AWS KMS to create a custom key store.
What level of FIPS 140-2 cryptographic validation does the AWS KMS HSM hold?
The AWS KMS HSMs are validated at Level 2 overall. You can read more about that [here].(https://aws.amazon.com/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cryptographic-modules-enabling-easier-adoption-of-the-service-for-regulated-workloads/)
FIPS 140-2 Level 2 validation is sufficient for many use cases, but check with your security and compliance teams to verify.
Keep in mind that the KMS Custom Key Store functionality makes use of a minimum of two AWS CloudHSM instances.
Aside from compliance considerations, your team will want to consider the cost of using this feature. For comparison, I will list the cost of using a CMK created with the default KMS functionality. Then, I will list of the cost of using a CMK created with the custom key store functionality.
Now that we have discussed AWS KMS support for custom key stores, let’s move on to the exercise.