Home › Forums › AWS › AWS Certified Security – Specialty › AWS KMS BYOK and custom key stores › Reply To: AWS KMS BYOK and custom key stores
-
Hello konker,
Thanks for your feedback.
Your understanding of custom key stores is correct. There are 3 key origins to choose from when creating a KMS key: KMS, External (import your own), and custom key store (CloudHSM). When I created this question, I imagined a scenario in which KMS keys are to be generated from key materials generated by a CloudHSM cluster — a setup similar to the one described in this blog, except that the cluster is to be maintained rather than deleted. This is technically possible, but it foregoes the advantage of easy integration with other services such as Amazon S3. So the best possible answer in the scenario’s case is to just create a CloudHSM-backed KMS key. We will revise this item.
Let me know if you have further questions.
Regards,
Carlo @ Tutorials Dojo