Welcome to my article on why you shouldn’t use AWS managed KMS keys. As a seasoned cloud DevOps Engineer and a regular user of AWS services, I have noticed that many companies and individuals are not aware of the potential complications associated with using AWS managed KMS keys. In this article, I will be discussing the drawbacks of using AWS managed KMS keys, and why it’s important to consider alternative solutions for encrypting your data.
By the end of this article, you’ll have a better understanding of the security risks associated with AWS managed KMS keys, and be able to make an informed decision about whether or not to use them. So, let’s dive in!
Let’s start with the most obvious fact, as the name already suggests, AWS managed keys are maintained by AWS and you, as the user, have no way to modify them. And that is the main issue for me.
Here’s an example that illustrates this issue: imagine you’ve received a business requirement to deploy a Parameter Store key as a Secure String, and only a specific Lambda function should be able to access and decrypt the key. In this scenario, AWS managed keys won’t work. Instead, you would need customer managed keys and deploy a key resource policy that only allows the Lambda’s IAM role to decrypt the Secure String from the Parameter store.
