AWS KMS Multi-Region Keys (MRKs) | Overview & Hands-On.

AWS KMS Multi-Region Keys (MRKs) - Overview & Hands-On.

Focus:

• The Concept of Multi-Region Keys (MRKs),
• Multi-Region Key Architecture & Description,
• Sample CLI  primary key creation in us-east-2,
• Replicating the primary key created in us-east-2 to us-west-1,
• How Replication Works (Lifecycle Operations),
• Cryptographic Behavior,
• Sample encryption with the replica key in us-west-1,
• Sample decryption with the replica key in us-east-1
• Integration Scenarios (Multi-Region Applications),
• Integration Scenarios for S3 Cross-Region Replication (CRR),
• Integration Scenarios for Disaster Recovery,
• IAM, Policies, & Access Control,
• CloudTrail & Auditing,
• Security Model & Benefits,
• Useful Multi-Region Keys (MRKs) Commands & API Summary,
• Limitations & Description,
• Data Flow Visualization (simplified),
• Best Practices.
• Project: Hands-On.

 1. The Concept of Multi-Region Keys (MRKs)

• Multi-Region Keys are a special class of AWS KMS customer managed keys that can exist in multiple AWS Regions.
• Multi-Region Keys are designed to support cross-region encryption and decryption without moving the plaintext key material.
• Each copy of a multi-region key in each Region is cryptographically equivalent — meaning:
• The key ID and key material are the same.
• twtech can encrypt data in one Region and decrypt it in another.
• AWS KMS ensures strong cryptographic consistency.

 2. Multi-Region Key Architecture & Description

Concept	Description
Primary Key		The “source” key created first. Controls replication and metadata propagation.
Replica Key		A read-only copy in another AWS Region. Used for cryptographic operations (Encrypt/Decrypt/Sign/Verify), but cannot create more replicas.
Key Material		Synchronized across Regions automatically by KMS (no user access).
Key ARN Format		Each Region has a unique ARN, but all share the same key ID (e.g., 1234abcd-12ab-34cd-56ef-1234567890ab).

 # Sample CLI  primary key creation in us-east-2:

arn:aws:kms:us-east-2:accountID:key/1234abcd-12ab-34cd-56ef-1234567890ab

# Replicating the primary key created in us-east-2 to us-west-1:

arn:aws:kms:us-west-1:accountID:key/1234abcd-12ab-34cd-56ef-1234567890ab

NB:

• Both keys share the same key ID and key material, but different ARNs and Regional metadata.

3. How Replication Works (Lifecycle Operations)

Operation	Primary	Replica
Create Key	✅	Created via replicate-key
Replicate Key	✅	❌
Schedule Deletion	✅	Must be initiated separately per Region
Enable/Disable	✅	Propagates automatically
Policy Updates	✅	Propagates automatically
Grants	❌	Must be created separately in each Region

 4. Cryptographic Behavior

• Same key material → identical cryptographic output.
• Independent CMKs at AWS service level (each Region enforces isolation).
• Supported algorithms:
• Symmetric keys (AES-256)
• Asymmetric keys (RSA, ECC)
• HMAC (Has-based Manage Aunthentication Code) keys
• FIPS 140-2 validated
• FIPS 140-2 validated in all supported Regions.
• Government standard that sets the security requirements for cryptographic modules used to protect sensitive but unclassified (SBU) data.

# Sample encryption with the replica key in us-west-1:

aws kms encrypt --key-id arn:aws:kms:us-west-1: accountID:key/1234abcd... --plaintext fileb://data.txt

# Sample decryption with the replica key in us-east-1:

aws kms decrypt --key-id arn:aws:kms:us-east-1: accountID:key/1234abcd... --ciphertext-blob fileb://cipher.bin

NB:

• This Works seamlessly,
• There is no need to transfer key material.

 5. Integration Scenarios (Multi-Region Applications)

 A. Multi-Region Applications

• Encrypt data in the nearest Region for latency.
• Decrypt in another Region for global availability.
• Typical use cases:
• Cross-region data replication (e.g., S3 CRR ...Cross Reginal Replicaton)
• Multi-region DynamoDB tables
• Multi-Region RDS disaster recovery

B. Integration Scenarios for S3 Cross-Region Replication (CRR)

• Use the same MRK ARN in both buckets’ Regions.
• Avoids the need for two different CMKs.

C. Integration Scenarios for Disaster Recovery (DR)

• If a Region goes down, the replica key can still decrypt data.
• Enables Regional failover without key export.

 6. IAM, Policies, & Access Control

• Key policies replicate automatically from primary → replicas.
• Grants and aliases are regional (must be recreated in each Region).
• CloudTrail logs key operations per Region (independent).

 7. CloudTrail & Auditing

• Each KMS API call (Encrypt, Decrypt, ReplicateKey, etc.) generates a region-specific CloudTrail event.
• twtech can correlate key usage across Regions via the shared keyId.

 8. Security Model

• AWS KMS never exports key material, even for replication.
• Uses AWS’s internal secure multi-region channel for replication.
• All key material is held within FIPS-validated HSMs (Hardware Security Modules) in each Region.

Security Benefits:

• Regional isolation of KMS APIs
• Global consistency of key material
• No cross-region plaintext movement

 9. Useful Multi-Region Keys (MRKs) Commands & API Summary

# Create primary key

aws kms create-key --multi-region

# Replicate to another region

aws kms replicate-key \

  --key-id <primary-key-id> \

  --replica-region us-west-2

# Describe key

aws kms describe-key --key-id <key-id>

# List replicas

aws kms list-key-replicas --key-id <primary-key-id>

# Update primary policy (replicates automatically)

aws kms put-key-policy --key-id <primary-key-id> --policy file://policy.json

 10. Limitations & Description

Limitation	Description
Max replicas		One per Region
Regional restrictions		Not supported in AWS GovCloud (as of now-oct 2025)
Automatic grants		Not propagated
Deletion		Must delete each key copy manually
Rotation		Supported, but rotation occurs only in primary (replicated automatically)

 11. Data Flow Visualization (simplified)

NB:

twtech Encrypts data in one region (us-east-2) → Decrypt in another (us-west-1)

 12. Best Practices

• Use MRKs for multi-region apps or DR (Disaster Recovery) setups.
• Always manage policies via the primary key.
• Keep aliases consistent across Regions.
• Track CloudTrail logs regionally.
• Avoid using MRKs if twtech data never leaves a Region (extra complexity).

Project: Hands-On

• How twtech creates, encrypts, replicates, and decrypts (manages) KMS keys across its Multi-environments (Regions)

Search for aws service:  Key management Service.

How it works

Benefits and features

Related tools and services

AWS managed keys: Overview

Sample aws key policy for: aws/s3

# Aws-sample-Key-policy.json

{

  "Version": "2012-10-17",

  "Id": "auto-s3-2",

  "Statement": [

    {

      "Sid": "Allow access through S3 for all principals in the account that are authorized to use S3",

      "Effect": "Allow",

      "Principal": {

        "AWS": "*"

      },

      "Action": [

        "kms:Encrypt",

        "kms:Decrypt",

        "kms:ReEncrypt*",

        "kms:GenerateDataKey*",

        "kms:DescribeKey"

      ],

      "Resource": "*",

      "Condition": {

        "StringEquals": {

          "kms:ViaService": "s3.us-east-2.amazonaws.com",

          "kms:CallerAccount": "98xxxxxxxxxxxx"

        }

      }

    },

    {

      "Sid": "Allow direct access to key metadata to the account",

      "Effect": "Allow",

      "Principal": {

        "AWS": "arn:aws:iam::accountID:root"

      },

      "Action": [

        "kms:Describe*",

        "kms:Get*",

        "kms:List*"

      ],

      "Resource": "*"

    }

  ]

}

Cryptographic configuration

Customer managed keys (Overview): CMK

Custom key stores (Oveview):  AWS CloudHSM key stores

NB:

• twtech doesn't have any custom key stores in its account.·
• However, twtech can store its KMS keys in a custom key store instead of the standard KMS key store.

• Custom key stores are created using an AWS CloudHSM cluster that twtech owns and manage.
• Custom key stores provides direct control of the hardware security modules (HSMs) that generate the key material for twtech KMS keys and perform cryptographic operations with them

    https://docs.aws.amazon.com/kms/latest/developerguide/overview.html

• To get started with custom key stores, twtech first need to create a AWS CloudHSM cluster.

Custom key stores (Oveview):  External key stores

Create customer managed keys: twtechKMSKeys

Create customer managed keys (managed by twtech): twtechKMSKeys

Add labels: twtechKMSKeys

Define key administrative permissions - optional

Key administrators (13)

• Select the IAM users and roles authorized to manage this key via the KMS API.
• These administrators will be added to the key policy under the statement identifier (Sid) 'Allow administration of the key'.
• Modifying this Sid might impact the console's ability to update the administrator statement in the key polic.

Define key usage permissions - optional

Key users (13)

• Select the IAM users and roles authorized to use this key in cryptographic operations.
• These users will be added to the key policy under the statement identifiers (Sid....twtechKMSKey) 'Allow use of the key' and 'Allow attachment of persistent resources'.
• Modifying these Sids might impact the console's ability to update the user statements in the key policy.

Edit key policy - optional

Key policy:

•  Review the key policy statements for this key.
•  To manually update this policy, select Edit.
•  Modifying the statement identifiers (Sid) assigned in the previous steps might affect how the console displays updates to that statement.

{

  "Id": "key-consolepolicy-3",

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "Enable IAM User Permissions",

      "Effect": "Allow",

      "Principal": {

        "AWS": "arn:aws:iam::accountID:root"

      },

      "Action": "kms:*",

      "Resource": "*"

    }

  ]

}

Review

 Select the key and click open to: Access key Details:

Cryptograhpic configuration:

Key Material and rotation:

How twtech enables automatic KMS key rotation:

Edit

From:

To: 

• Customize the duration for rotation Period: Period between 90 and 2560 days

Next Rotation date for key:

Key Alias (Name): twtechKMSkeys

How twtech enables, disable or schedule key deletion:

How twtech uses the CLI to encrypt decrypt data within its environment: CLI (can also use CloudShell)

AWS KMS CLI commands:

• Here’s twtech comprehensive list of AWS KMS CLI commands, grouped by category.
• These management commands include those specific to Multi-Region Keys (MRKs) and general key management operations.

 1. Key Creation and Management

# Create a new KMS key

aws kms create-key --description "twtech encryption key"

# Create a Multi-Region Key (MRK)

aws kms create-key --multi-region --description "twtech Multi-Region Key"

# Replicate a Multi-Region Key

aws kms replicate-key \

  --key-id arn:aws:kms:us-east-1:accountID:key/twtechmrk-1234abcd \

  --replica-region us-west-1

#  Update Primary Region for a Multi-Region Key (Promote a replica to be the new primary)

aws kms update-primary-region \

  --key-id arn:aws:kms:us-east-2:accountID:key/twtechmrk-1234abcd \

  --primary-region eu-west-1

 2. Key Description and Listing

# List all KMS keys

aws kms list-keys

# Describe a specific key

aws kms describe-key --key-id arn:aws:kms:us-east-2:accountID:key/twtechmrk-1234abcd

# List key aliases

aws kms list-aliases

# Create or update an alias

aws kms create-alias --alias-name alias/twtechDevkey --target-key-id <twtechkey-id>

3. Encryption and Decryption

# Encrypt a plaintext file or string

aws kms encrypt --key-id alias/twtechkmskey --plaintext
fileb://twteckmsKey.txt --output text --query CiphertextBlob \

fileb://twteckmsKey.txt --output text --query CiphertextBlob \

--region us-east-2 > twtechkmsKeyEncrypted.base64

# Decrypt an encrypted blob

aws kms decrypt --ciphertext-blob fileb://twtechkmskey.decode  \

--output text  --query Plaintext  > twtechkmskeydecrypted.base64 \

--region us-east-2

# Decodes the encrypted file to get the original binary.

cat twtechKMSKeyEncrypted.base64 |  base64 --decode > twtechkmskey.decode

# Decrypt the binary file to get the orginal kmskey (password): twtechkmskeyabc@123

aws kms decrypt --ciphertext-blob fileb://twtechkmskey.decode  --output text  --query Plaintext  > twtechkmskeydecrypted.base64 --region us-east-2

#  Generate a Data Encryption Key (DEK): Used for envelope encryption

aws kms generate-data-key --key-id alias/twtechkmskey --key-spec AES_256

# Re-encrypt data (between MRKs or regions)

aws kms re-encrypt \

  --ciphertext-blob fileb://data.encrypted \

  --destination-key-id arn:aws:kms:us-west-1:accountID:key/twtechmrk-1234abcd \

 --destination-encryption-context '{"Purpose":"Migration"}'

 4. Key Policy and Permissions

# Get key policy

aws kms get-key-policy --key-id alias/twtechkmskey --policy-name default

# Put (set) key policy

aws kms put-key-policy --key-id alias/twtechkmskey \

--policy-name default --policy file://twtech-key-policy.json

# Enable or disable a key

aws kms enable-key --key-id alias/twtechkmskey

aws kms disable-key --key-id alias/twtechkmskey

 5. Key Rotation and Deletion

#  Enable automatic key rotation

aws kms enable-key-rotation --key-id alias/twtechkmskey

#  Check rotation status

aws kms get-key-rotation-status --key-id alias/twtechkmskey

#  Schedule key deletion

aws kms schedule-key-deletion --key-id alias/twtechkmskey --pending-window-in-days 30

#  Cancel key deletion

aws kms cancel-key-deletion --key-id alias/twtechkmskey

6. Multi-Region Key (MRK)-Specific Commands Summary

Purpose	Command
Create primary MRK	aws kms create-key --multi-region
Replicate key	aws kms replicate-key --key-id <primary-arn> --replica-region <region>
Update primary region	aws kms update-primary-region --key-id <replica-arn> --primary-region <region>
Describe replication status	aws kms describe-key --key-id <mrk-id>
Delete replica	aws kms schedule-key-deletion --key-id <replica-id>

 7. Advanced Key Operations

#  Sign and verify (for asymmetric keys)

aws kms sign \

  --key-id alias/twtech-asymmetric-key \

  --message fileb://message.txt \

  --message-type RAW \

  --signing-algorithm RSASSA_PSS_SHA_256 \

  --output text \

  --query Signature | base64 --decode > signature.bin

aws kms verify \

  --key-id alias/twtech-asymmetric-key \

  --message fileb://message.txt \

  --message-type RAW \

  --signature fileb://signature.bin \

  --signing-algorithm RSASSA_PSS_SHA_256

# Generate random bytes

aws kms generate-random --number-of-bytes 32

 8. Useful JSON Output Samples

# Describe Multi-Region Key Output Example

{

  "KeyMetadata": {

    "AWSAccountId": "accountID",

    "KeyId": "twtechmrk-1234abcd",

    "Arn": "arn:aws:kms:us-east-2:accountID:key/twtechmrk-1234abcd",

    "MultiRegion": true,

    "MultiRegionConfiguration": {

      "MultiRegionKeyType": "PRIMARY",

      "PrimaryKey": {

        "Arn": "arn:aws:kms:us-east-2:accountID:key/twtechmrk-1234abcd"

      },

      "ReplicaKeys": [

        {

          "Arn": "arn:aws:kms:us-west-1:accountID:key/twtechmrk-5678efgh"

        }

      ]

    }

  }

}

Insights: twtech ready-to-run CLI script that automates the:

• Creation of KMS Multi-Region Key (MRK),
• Replicate key,
• Test cross-region encryption/decryption (for lab purposes)

A ready-to-run AWS CLI demo script that fully automates creating a KMS Multi-Region Key (MRK), replicating it to another region, and testing cross-region encryption and decryption.

NB:

• It’s designed for twtech testing lab, dev env or any learning purposes.
• This script unsafe to run in a production AWS account.

 Script Overview (What it does):

1. Creates a Multi-Region KMS key in a source region.
2. Replicates it to a destination region.
3. Encrypts plaintext data in the source region.
4. Decrypts it successfully in the destination region (proving MRK interoperability).
5. Cleans up by scheduling key deletions.

 Requirements

• AWS CLI v2 installed and configured
• Permissions for:
• kms:CreateKey, kms:ReplicateKey, kms:Encrypt, kms:Decrypt, kms:ScheduleKeyDeletion
• jq
• jq (for JSON parsing)
• base64 (for encoding/decoding)

 # Save this as kms-mrk-test.sh & run:

#!/bin/bash

set -e

# ========================================

# Configuration

# ========================================

SOURCE_REGION="us-east-2"

DEST_REGION="us-west-1"

PLAINTEXT="Hello from twtech Multi-Region KMS Team"

KEY_DESCRIPTION="twtech Multi-Region Key for Cross-Region Encryption"

echo "----------------------------------------"

echo " Starting KMS Multi-Region Key "

echo "----------------------------------------"

echo "Source Region: $SOURCE_REGION"

echo "Destination Region: $DEST_REGION"

echo

# ========================================

# Step 1: Create Primary Multi-Region Key

# ========================================

echo " Creating twtech Multi-Region primary key in $SOURCE_REGION..."

PRIMARY_KEY_ARN=$(aws kms create-key \

  --region "$SOURCE_REGION" \

  --multi-region \

  --description "$KEY_DESCRIPTION" \

  --query 'KeyMetadata.Arn' \

  --output text)

echo "Primary Key ARN: $PRIMARY_KEY_ARN"

echo

# ========================================

# Step 2: Replicate the Key to another region

# ========================================

echo " Replicating key to $DEST_REGION..."

REPLICA_KEY_ARN=$(aws kms replicate-key \

  --region "$SOURCE_REGION" \

  --key-id "$PRIMARY_KEY_ARN" \

  --replica-region "$DEST_REGION" \

  --query 'ReplicaKeyMetadata.Arn' \

  --output text)

echo " Replica Key ARN: $REPLICA_KEY_ARN"

echo

# Wait for replication to complete

echo " Waiting for replication to complete..."

sleep 10

# ========================================

# Step 3: Encrypt data in the source region

# ========================================

echo " Encrypting data in $SOURCE_REGION..."

ENCRYPTED_BLOB=$(aws kms encrypt \

  --region "$SOURCE_REGION" \

  --key-id "$PRIMARY_KEY_ARN" \

  --plaintext "$PLAINTEXT" \

  --query CiphertextBlob \

  --output text)

echo " Encrypted Ciphertext (base64):"

echo "$ENCRYPTED_BLOB"

echo

# Save ciphertext to file for demo

echo "$ENCRYPTED_BLOB" > ciphertext.b64

# ========================================

# Step 4: Decrypt data in destination region

# ========================================

echo " Decrypting ciphertext in $DEST_REGION..."

DECRYPTED_TEXT=$(aws kms decrypt \

  --region "$DEST_REGION" \

  --ciphertext-blob fileb://<(base64 --decode ciphertext.b64) \

  --query Plaintext \

  --output text | base64 --decode)

echo

echo "Decrypted Text: $DECRYPTED_TEXT"

echo

# ========================================

# Step 5: Verification

# ========================================

if [ "$DECRYPTED_TEXT" == "$PLAINTEXT" ]; then

  echo " SUCCESS: Decrypted text matches original "

else

  echo " ERROR: Decrypted text does NOT match original "

fi

echo

# ========================================

# Step 6: Cleanup (optional)

# ========================================

echo " Scheduling key deletions (30 days)..."

aws kms schedule-key-deletion --region "$SOURCE_REGION" --key-id "$PRIMARY_KEY_ARN" --pending-window-in-days 30 >/dev/null

aws kms schedule-key-deletion --region "$DEST_REGION" --key-id "$REPLICA_KEY_ARN" --pending-window-in-days 30 >/dev/null

echo " Keys scheduled for deletion in 30 days."

echo

echo "----------------------------------------"

echo " twtech KMS Multi-Region Key Demo Completed"

echo "----------------------------------------"

 NB:

# What twteck would See:  Sample output.

Starting KMS Multi-Region Key Demo

Source Region: us-east-2

Destination Region: us-west-1

Creating Multi-Region primary key in us-east-2...

Primary Key ARN: arn:aws:kms:us-east-2:accountID:key/twtechmrk-1a2b3c4d

Replicating key to us-west-1...

Replica Key ARN: arn:aws:kms:eu-west-2:accountID:key/twtechmrk-1a2b3c4d

Encrypting data in us-east-2...

Encrypted Ciphertext (base64):

AQICAHj6Hf7...

Decrypting ciphertext in us-west-1...

Decrypted Text: Hello from twtech Multi-Region KMS Team!

SUCCESS: Decrypted text matches original!

Keys scheduled for deletion in 30 days.

twtech KMS Multi-Region Key deployment Completed

 Key Concepts & Description

Step	Concept	Description
1	Multi-Region Key Creation	Creates a KMS MRK primary key.
2	Key Replication	Securely copies key material across AWS regions.
3	Regional Encryption	Data encrypted locally in source region.
4	Cross-Region Decryption	Replica key in destination region decrypts same ciphertext.
5	Validation	Ensures MRKs are cryptographically identical.
6	Cleanup	Schedules deletion to avoid orphaned keys.

NB:

• Do NOT use this script in production. MRKs can incur KMS costs.
• twtech can reduce deletion wait time (minimum 7 days) by changing:
•  --pending-window-in-days 7
• This script Works for any pair of supported regions (except GovCloud and China).
• MRKs cannot use imported key material or custom key stores (HSM… Hardware Security Module).

Steps-by-step Hands-On: CLI

• Create keys (passwords), 
• Encrypt, 
• Decode, 
• Decrypt them with VS code for resources in its environment.

Step 1:

Create a file name: twtechkmskey.txt

Step 2:

Add a key (password) in the file and save: twtechkmskey

Step 3:

AWS CLI must be configured on terminal: to make API calls to aws resources

Step 4:

# Copy/Paste the encryption command on the terminal configured and run:

  aws kms encrypt --key-id alias/twtechkmskey --plaintext fileb://twteckmsKey.txt --output text --query CiphertextBlob --region us-east-2 > twtechkmsKeyEncrypted.base64

NB:

• This should Successfully encypted the kmskey then output as a text file  in base64

Step 5:

• Twtech needs to decode the encrypted file to get the binary.

cat twtechKMSKeyEncrypted.base64 |  base64 --decode > twtechkmskey.decode

NB:

• When twtech tries to access (Open) the binary file,  The file is not displayed in the text editor because it is either a binary or used as unsupported text encodeing.

Step 6:

• twtech needs to decrypt the binary file to get the orginal kmskey (password): twtechkmskey

aws kms decrypt --ciphertext-blob fileb://twtechkmskey.decode  --output text  --query Plaintext  > twtechkmskeydecrypted.base64 --region us-east-2

Step: 7:

• Finally, twtech needs to decode the decrypted file in base 64 to get the text readable format: NB:
• The output should look exactly as the key created originally in the .txt file

cat twtechkmskeydecrypted.base64 |  base64 --decode > twtechkmskeydecrypted.txt