AWS KMS Multi region


Using AWS KMS Encryption SDK – MultipleProviderFactory, multiple CMKs from different region can be combined to single master key provider, the first CMK is used to generate data key, other CMKs just to encrypt the data key. This helps to decrypt using local KMS endpoint.

Won’t it fail if Region of first CMK is down and data key is not generated as the first CMK is the one to generate data key?? Any solution or workaround ??


Based on answer from a different AWS forum by Greg
This reply comes from the author of this blog post, Greg:

“That is correct. If the first region cannot generate the data key, or if any of the other regions cannot encrypt the data key, the encryption will fail. This was an intentional design decision because otherwise you could end up with ciphertext that is not decryptable by all of the expected keys. When decrypting, all that is required is that any one of the master keys is available and capable of decryption.


Leave a Reply