Before we get to the lab exercise, we wanted to take some time to discuss options for generating your AWS KMS CMK. AWS KMS provides you with two alternatives to store your CMK. Your security requirements may dictate which alternative is suitable for your workloads on Amazon EKS.
There is an AWS Online Tech Talk on Encrypting Secrets in Amazon EKS that dives deep into this topic.
For most users, the default AWS KMS key store, which is protected by FIPS 140-2 validated cryptographic modules, fulfills their security requirements.
However, you might consider creating a custom key store if your organization has any of the following requirements:
If any of these requirements apply to you, consider using AWS CloudHSM with AWS KMS to create a custom key store.
What level of FIPS 140-2 cryptographic validation does the AWS KMS HSM hold?
The AWS KMS HSMs are validated at Level 2 overall. You can read more about the topic in this blog post.
Keep in mind that the KMS Custom Key Store functionality makes use of a minimum of two AWS CloudHSM instances.
Aside from compliance and security requirements, you may want to consider the cost of using custom key stores. Below you can find a cost comparison between default AWS KMS key store and AWS KMS custom key store for the N. Virginia AWS region (us-east-1). You can find the latest KMS pricing information here.
Now that we have discussed AWS KMS support for custom key stores, let’s move on to the exercise.