A deep dive into AWS
KMS Multi-Region Keys (MRKs).
Focus:
- The Concept: Multi-Region Keys (MRKs),
- Multi-Region Key Architecture,
- How Replication Works,
- Cryptographic Behavior,
- Integration Scenarios,
- IAM, Policies, and Access Control,
- CloudTrail and Auditing,
- Security Model,
- Commands and API Summary,
- Limitations,
- Diagram Summary,
- Best Practices.
1. The Concept: Multi-Region Keys (MRKs)
- Multi-Region Keys are a special class of AWS KMS customer managed keys that can exist in multiple AWS Regions.
- Multi-Region
Keys are designed to support cross-region encryption and decryption
without moving the plaintext key material.
Each copy of a multi-region key
in each Region is cryptographically equivalent — meaning:
- The key ID and key material are the same.
- twtech can encrypt data in one Region and decrypt it in another.
- AWS KMS ensures strong cryptographic consistency.
2. Multi-Region Key Architecture
|
Concept |
Description |
|
|
Primary Key |
The “source” key created first.
Controls replication and metadata propagation. |
|
|
Replica Key |
A read-only copy in another AWS
Region. Used for cryptographic operations (Encrypt/Decrypt/Sign/Verify), but cannot create more replicas. |
|
|
Key Material |
Synchronized across Regions
automatically by KMS (no user access). |
|
|
Key ARN Format |
Each Region has a unique ARN, but
all share the same key ID (e.g., 1234abcd-12ab-34cd-56ef-1234567890ab). |
|
# Example:
# twtech creates a primary key in: us-east-2:
arn:aws:kms:us-east-2:accountID:key/1234abcd-12ab-34cd-56ef-1234567890ab
# Then twtech replicates primary key
to: us-west-1:
arn:aws:kms:us-west-1:accountID:key/1234abcd-12ab-34cd-56ef-1234567890ab
NB:
- Both keys share the same key ID and key material, but different ARNs and Regional
metadata.
3. How
Replication Works
Lifecycle Operations
|
Operation |
Primary |
Replica |
|
Create
Key |
✅ |
Created via replicate-key |
|
Replicate
Key |
✅ |
❌ |
|
Schedule
Deletion |
✅ |
Must be initiated separately per
Region |
|
Enable/Disable |
✅ |
Propagates automatically |
|
Policy
Updates |
✅ |
Propagates automatically |
|
Grants |
❌ |
Must be created separately in each
Region |
4. Cryptographic Behavior
- Same key material → identical cryptographic output.
- Independent CMKs at AWS service level (each Region enforces isolation).
- Supported algorithms:
- Symmetric keys (AES-256)
- Asymmetric keys (RSA, ECC)
- HMAC
(Has-based Manage Aunthentication Code) keys
- FIPS 140-2
validated in all supported
Regions. (Government standard that sets the security requirements
for cryptographic modules used to protect sensitive but unclassified (SBU)
data)
Example:
# twtech encrypts with the replica key
in: us-west-1:
aws kms encrypt --key-id arn:aws:kms:us-west-1: accountID:key/1234abcd...
--plaintext fileb://data.txt
# twtech can decrypt in: us-east-1:
aws kms decrypt --key-id arn:aws:kms:us-east-1: accountID:key/1234abcd...
--ciphertext-blob fileb://cipher.bin
NB:
- This Works seamlessly — no need to transfer key material.
5. Integration
Scenarios
a. Multi-Region Applications
- Encrypt data
in the nearest Region for latency.
- Decrypt in
another Region for global availability.
- Typical use
cases:
- Cross-region data replication (e.g., S3 CRR ...Cross Reginal Replicaton)
- Multi-region DynamoDB tables
- Multi-Region RDS disaster recovery
b. S3 Cross-Region Replication (CRR)
- Use the same
MRK ARN in both buckets’ Regions.
- Avoids the
need for two different CMKs.
c. Disaster Recovery
- If a Region
goes down, the replica key can still decrypt data.
- Enables Regional failover without key
export.
6. IAM, Policies, and Access Control
- Key policies replicate automatically from primary → replicas.
- Grants and aliases are regional (must be recreated in each Region).
- CloudTrail logs key operations per Region (independent).
7. CloudTrail and
Auditing
- Each KMS API call (Encrypt, Decrypt, ReplicateKey, etc.) generates a region-specific
CloudTrail event.
- twtech can correlate key usage across Regions via the shared keyId.
8. Security Model
- AWS KMS never exports key material, even for replication.
- Uses AWS’s internal secure multi-region channel for replication.
- All key material is held within FIPS-validated HSMs (Hardware Security Modules) in each Region.
Security
benefits:
- Regional isolation of KMS APIs
- Global consistency of key material
- No cross-region plaintext movement
9. Commands and API Summary
# Create primary key
aws kms create-key --multi-region
# Replicate to another
region
aws kms replicate-key \
--key-id <primary-key-id> \
--replica-region us-west-2
# Describe key
aws kms describe-key --key-id <key-id>
# List replicas
aws kms list-key-replicas --key-id <primary-key-id>
# Update primary policy (replicates
automatically)
aws kms put-key-policy --key-id <primary-key-id> --policy file://policy.json
10. Limitations
|
Limitation |
Description |
|
|
Max
replicas |
One per Region |
|
|
Regional
restrictions |
Not supported
in AWS GovCloud (as of now-oct 2025) |
|
|
Automatic
grants |
Not propagated |
|
|
Deletion |
Must delete
each key copy manually |
|
|
Rotation |
Supported, but
rotation occurs only in primary
(replicated automatically) |
|
11. Diagram Summary
Data Flow Visualization (simplified)
NB:
Encrypt in one region → Decrypt
in another ✅
12. Best Practices
- Use MRKs for multi-region
apps or DR (Disaster Recovery) setups.
- Always manage policies
via the primary key.
- Keep aliases consistent
across Regions.
- Track CloudTrail logs
regionally.
- Avoid using MRKs if twtech data never leaves a Region (extra complexity).
Project: Hands-On
How
twtech creates, encrypts, replicates, and decrypts (manages) KMS keys across its Multi-environments (Region)
Search for
aws service: Key management Service.
Projec
t: Hands-On
How
twtech creates, encrypts, replicates, and decrypts (manages) KMS keys across its Multi-environments (Regions)
Search
for aws service: Key management Service.
How
it works
Benefits
and features
Related tools and
services
AWS managed keys: Overview
Sample aws key policy for: aws/s3
#
Aws-sample-Key-policy.json
{
"Version":
"2012-10-17",
"Id":
"auto-s3-2",
"Statement": [
{
"Sid": "Allow access through S3 for
all principals in the account that are authorized to use S3",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action":
[
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.us-east-2.amazonaws.com",
"kms:CallerAccount": "98xxxxxxxxxxxx"
}
}
},
{
"Sid": "Allow direct access to key metadata to the
account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::98xxxxxxxxxxxx:root"
},
"Action":
[
"kms:Describe*",
"kms:Get*",
"kms:List*"
],
"Resource": "*"
}
]
}
Customer managed keys (Overview): CMK
Custom key stores (Oveview): AWS CloudHSM key stores
NB:
twtech doesn't have any custom key stores in its account.· twtech can store its KMS keys in a custom key store instead of the standard KMS key store.
- Custom key stores are created using an AWS
CloudHSM cluster that twtech owns and manage.
- Custom key stores provides direct control of the hardware security modules (HSMs) that generate the key material
for twtech KMS keys and perform cryptographic operations with them
- https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
- To get started with custom key stores, twtech first need to create a AWS CloudHSM cluster.
Custom
key stores (Oveview): External key stores
Create customer managed keys (managed by twtech): twtechKMSKeys
Define key administrative permissions - optional
Key administrators (13)
- Select
the IAM users and roles authorized to manage this key via the KMS API.
- These administrators will be added to the key policy
under the statement identifier (Sid)
'Allow administration of the key'. - Modifying this Sid might impact the console's
ability to update the administrator statement in the key polic.
Define key usage permissions - optional
Key
users (13)
- Select the IAM users and roles authorized to use this key in cryptographic operations.
- These users will be added to the key policy under
the statement identifiers (Sid....twtechKMSKey)
'Allow use of the key'and'Allow attachment of persistent resources'. - Modifying these Sids might impact the console's
ability to update the user statements in the key policy.
Edit key policy - optional
Key
policy:
- Review the key policy statements for this key.
- To manually update this policy, select Edit.
- Modifying the statement identifiers (Sid) assigned in the previous steps might affect how the console displays updates to that statement.
{
"Id":
"key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User
Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::98xxxxxxxx:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}
Review
Select the key and click open to: Access key Details:
Cryptograhpic configuration:
Key Material and rotation:
How twtech enables automatic KMS key
rotation:
Edit
From:
To: customize the duration for
rotation Period: Period between 90 and 2560 days
Next Rotation date for key:
Key Alias (Name):
twtechKMSkeys
How twtech enables, disable or schedule
key deletion:
How twtech uses the CLI to encrypt
decrypt data within its environment: CLI (can also use CloudShell)
AWS KMS CLI commands:
Here’s
twtech comprehensive
list of AWS KMS CLI commands, grouped by category
— including those specific to Multi-Region Keys (MRKs) and general key
management operations.
1. Key
Creation and Management
# Create a new KMS key
aws kms create-key --description "twtech encryption key"# Create a Multi-Region Key (MRK)
aws kms create-key --multi-region --description "twtech Multi-Region Key"# Replicate a Multi-Region Key
aws kms replicate-key \ --key-id arn:aws:kms:us-east-1:accountID:key/twtechmrk-1234abcd \ --replica-region us-west-1# Update Primary
Region for a Multi-Region Key (Promote a replica to be the new
primary)
aws kms update-primary-region \ --key-id arn:aws:kms:us-east-2:accountID:key/twtechmrk-1234abcd \ --primary-region eu-west-1 2. Key
Description and Listing
# List all KMS keys
aws kms list-keys# Describe a specific key
aws kms describe-key --key-id arn:aws:kms:us-east-2:accountID:key/twtechmrk-1234abcd# List key aliases
aws kms list-aliases# Create or update an alias
aws kms create-alias --alias-name alias/twtechDevkey --target-key-id <twtechkey-id>3. Encryption and Decryption
# Encrypt a plaintext file or string
aws kms encrypt --key-id alias/twtechkmskey --plaintext fileb://twteckmsKey.txt --output text --query CiphertextBlob --region us-east-2 > twtechkmsKeyEncrypted.base64
# Decrypt an encrypted blob
aws kms decrypt --ciphertext-blob fileb://twtechkmskey.decode \--output text --query Plaintext > twtechkmskeydecrypted.base64 --region us-east-2# Decodes the encrypted file to get the
original binary.
cat twtechKMSKeyEncrypted.base64
| base64 --decode >
twtechkmskey.decode
# Decrypt the binary file to get the orginal kmskey (password): twtechkmskeyabc@123
aws kms decrypt --ciphertext-blob
fileb://twtechkmskey.decode --output text --query Plaintext > twtechkmskeydecrypted.base64 --region us-east-2
# Generate a Data
Encryption Key (DEK): Used
for envelope encryption
aws kms generate-data-key --key-id alias/twtechkmskey --key-spec AES_256# Re-encrypt data (between
MRKs or regions)
aws kms re-encrypt \ --ciphertext-blob fileb://data.encrypted \ --destination-key-id arn:aws:kms:us-west-1:accountID:key/twtechmrk-1234abcd \ --destination-encryption-context '{"Purpose":"Migration"}' 4. Key Policy
and Permissions
# Get key policy
aws kms get-key-policy --key-id alias/twtechkmskey --policy-name default# Put (set) key
policy
aws kms put-key-policy --key-id alias/twtechkmskey --policy-name default --policy file://twtech-key-policy.json# Enable or disable a key
aws kms enable-key --key-id alias/twtechkmskeyaws kms disable-key --key-id alias/twtechkmskey 5. Key
Rotation and Deletion
# Enable
automatic key rotation
aws kms enable-key-rotation --key-id alias/twtechkmskey# Check rotation
status
aws kms get-key-rotation-status --key-id alias/twtechkmskey# Schedule key
deletion
aws kms schedule-key-deletion --key-id alias/twtechkmskey --pending-window-in-days 30# Cancel key
deletion
aws kms cancel-key-deletion --key-id alias/twtechkmskey6. Multi-Region Key (MRK)-Specific Commands Summary
|
Purpose |
Command |
|
Create primary MRK |
|
|
Replicate key |
|
|
Update primary region |
|
|
Describe replication status |
|
|
Delete replica |
|
7. Advanced
Key Operations
# Sign
and verify (for asymmetric keys)
aws kms sign \ --key-id alias/twtech-asymmetric-key \ --message fileb://message.txt \ --message-type RAW \ --signing-algorithm RSASSA_PSS_SHA_256 \ --output text \ --query Signature | base64 --decode > signature.binaws kms verify \ --key-id alias/twtech-asymmetric-key \ --message fileb://message.txt \ --message-type RAW \ --signature fileb://signature.bin \ --signing-algorithm RSASSA_PSS_SHA_256# Generate random bytes
aws kms generate-random --number-of-bytes 32 8.
Useful JSON Output Examples
# Describe Multi-Region Key Output Example
{ "KeyMetadata": { "AWSAccountId": "accountID", "KeyId": "twtechmrk-1234abcd", "Arn": "arn:aws:kms:us-east-2:accountID:key/twtechmrk-1234abcd", "MultiRegion": true, "MultiRegionConfiguration": { "MultiRegionKeyType": "PRIMARY", "PrimaryKey": { "Arn": "arn:aws:kms:us-east-2:accountID:key/twtechmrk-1234abcd" }, "ReplicaKeys": [ { "Arn": "arn:aws:kms:us-west-1:accountID:key/twtechmrk-5678efgh" } ] } }}Insights:
twtech ready-to-run CLI script that automates the:
- Creation of KMS Multi-Region Key (MRK),
- Replicate key,
- Test
cross-region encryption/decryption (for lab purposes)
A ready-to-run
AWS CLI demo script that fully automates creating a KMS Multi-Region Key
(MRK), replicating it to another region, and testing cross-region encryption and decryption.
NB:
It’s designed for twtech lab or any learning purposes — its unsafe to run in a
production AWS account.
Script Overview
What it does:
- Creates a Multi-Region KMS key in a source region.
- Replicates it to a destination region.
- Encrypts plaintext data in the source region.
- Decrypts it successfully in the destination region (proving MRK interoperability).
- Cleans up by scheduling key deletions.
Requirements
- AWS CLI v2
installed and configured
- Permissions
for:
- kms:CreateKey, kms:ReplicateKey, kms:Encrypt, kms:Decrypt, kms:ScheduleKeyDeletion
- jq (for JSON parsing)
- base64 (for encoding/decoding)
# The Script:
Save this as kms-mrk-demo.sh and run:
#!/bin/bash
set -e
#
========================================
#
Configuration
#
========================================
SOURCE_REGION="us-east-2"
DEST_REGION="us-west-1"
PLAINTEXT="Hello from twtech Multi-Region
KMS Team"
KEY_DESCRIPTION="twtech Multi-Region Key for Cross-Region Encryption"
echo
"----------------------------------------"
echo " Starting KMS Multi-Region
Key "
echo
"----------------------------------------"
echo "Source
Region: $SOURCE_REGION"
echo "Destination
Region: $DEST_REGION"
echo
#
========================================
# Step 1: Create Primary Multi-Region
Key
#
========================================
echo " Creating twtech Multi-Region
primary key in $SOURCE_REGION..."
PRIMARY_KEY_ARN=$(aws
kms create-key \
--region "$SOURCE_REGION" \
--multi-region \
--description "$KEY_DESCRIPTION" \
--query
'KeyMetadata.Arn' \
--output text)
echo "Primary Key
ARN: $PRIMARY_KEY_ARN"
echo
#
========================================
# Step 2: Replicate the Key to
another region
#
========================================
echo " Replicating key to $DEST_REGION..."
REPLICA_KEY_ARN=$(aws
kms replicate-key \
--region "$SOURCE_REGION" \
--key-id "$PRIMARY_KEY_ARN" \
--replica-region "$DEST_REGION" \
--query 'ReplicaKeyMetadata.Arn' \
--output text)
echo " Replica Key
ARN: $REPLICA_KEY_ARN"
echo
# Wait for replication to
complete
echo " Waiting for replication to
complete..."
sleep 10
#
========================================
# Step 3: Encrypt data in the
source region
#
========================================
echo " Encrypting data in $SOURCE_REGION..."
ENCRYPTED_BLOB=$(aws kms
encrypt \
--region "$SOURCE_REGION" \
--key-id "$PRIMARY_KEY_ARN" \
--plaintext "$PLAINTEXT" \
--query CiphertextBlob \
--output text)
echo " Encrypted Ciphertext (base64):"
echo
"$ENCRYPTED_BLOB"
echo
# Save ciphertext to file
for demo
echo "$ENCRYPTED_BLOB" > ciphertext.b64
#
========================================
# Step 4: Decrypt data in destination
region
#
========================================
echo " Decrypting ciphertext in $DEST_REGION..."
DECRYPTED_TEXT=$(aws kms
decrypt \
--region "$DEST_REGION" \
--ciphertext-blob fileb://<(base64
--decode ciphertext.b64) \
--query Plaintext \
--output text | base64 --decode)
echo
echo "Decrypted
Text: $DECRYPTED_TEXT"
echo
#
========================================
# Step 5: Verification
#
========================================
if [ "$DECRYPTED_TEXT"
== "$PLAINTEXT" ]; then
echo " SUCCESS: Decrypted text matches
original "
else
echo " ERROR: Decrypted text does NOT
match original "
fi
echo
# ========================================
# Step 6: Cleanup (optional)
#
========================================
echo " Scheduling key deletions (30
days)..."
aws kms schedule-key-deletion --region "$SOURCE_REGION" --key-id
"$PRIMARY_KEY_ARN" --pending-window-in-days 30 >/dev/null
aws kms
schedule-key-deletion --region "$DEST_REGION" --key-id
"$REPLICA_KEY_ARN" --pending-window-in-days 30 >/dev/null
echo " Keys
scheduled for deletion in 30 days."
echo
echo
"----------------------------------------"
echo " twtech KMS Multi-Region Key
Demo Completed"
echo "----------------------------------------"
NB:
# What
twteck would See: Sample output.
Starting KMS Multi-Region Key Demo
Source Region: us-east-2
Destination Region: us-west-1
Creating Multi-Region primary key in us-east-2...
Primary Key ARN: arn:aws:kms:us-east-2:accountID:key/twtechmrk-1a2b3c4d
Replicating key to us-west-1...
Replica Key ARN: arn:aws:kms:eu-west-2:accountID:key/twtechmrk-1a2b3c4d
Encrypting data in us-east-2...
Encrypted Ciphertext (base64):
AQICAHj6Hf7...
Decrypting ciphertext in us-west-1...
Decrypted Text: Hello from twtech Multi-Region KMS Team!
SUCCESS: Decrypted text matches
original!
Keys scheduled for deletion in 30 days.
twtech KMS Multi-Region Key deployment Completed
Key Concepts
|
Step |
Concept |
Description |
|
1 |
Multi-Region
Key Creation |
Creates a KMS MRK primary key. |
|
2 |
Key
Replication |
Securely copies key material across
AWS regions. |
|
3 |
Regional
Encryption |
Data encrypted locally in source
region. |
|
4 |
Cross-Region
Decryption |
Replica key in destination region
decrypts same ciphertext. |
|
5 |
Validation |
Ensures MRKs are cryptographically
identical. |
|
6 |
Cleanup |
Schedules deletion to avoid orphaned
keys. |
NB:
- Do NOT use this script in production. MRKs can incur KMS costs.
- twtech can reduce deletion wait time (minimum 7 days) by changing:
- --pending-window-in-days 7
- This script Works for any pair of supported regions (except GovCloud and China).
- MRKs cannot use imported key material or custom key stores (HSM… Hardware Security Module).
Steps-by-step taken twtech to:
- Create keys (passwords),
- Encrypt,
- Decode, and
- Decrypt them with VS code for resources in its environment.
Step 1:
Create a file name: twtechkmskey.txt
Step 2:
Add a key (password) in the file and save: twtechkmskey
Step 3:
AWS CLI must be configured on
terminal: to make API calls to aws
resources
Step 4:
# Copy/Paste the encryption
command on the terminal configured and run:
aws kms encrypt --key-id alias/twtechkmskey --plaintext
fileb://twteckmsKey.txt --output text --query CiphertextBlob --region us-east-2 > twtechkmsKeyEncrypted.base64
NB:
This should Successfully encypted
the kmskey then output as a text file in
base64
Step 5:
Twtech needs to decode the encrypted
file to get the binary.
cat twtechKMSKeyEncrypted.base64 | base64 --decode > twtechkmskey.decode
NB:
When twtech tries to access
(Open) the binary file: The file is
not displayed in the text editor because it is either a binary or used as
unsupported text encodeing.
Step 6:
twtech needs to decrypt the binary
file to get the orginal kmskey (password): twtechkmskey
aws kms decrypt --ciphertext-blob
fileb://twtechkmskey.decode --output text --query Plaintext > twtechkmskeydecrypted.base64 --region us-east-2
Ste: 7:
Finally, twtech needs to decode the
decrypted file in base 64 to get the text readable format: NB:
The output should look exactly as
the key created originally in the .txt file
cat twtechkmskeydecrypted.base64
| base64 --decode > twtechkmskeydecrypted.txt
No comments:
Post a Comment