Key Management Infrastructure

We design a KMS key hierarchy: a root key per environment (production, staging), service-specific keys for each application or data classification, and per-tenant keys where data isolation requires independent encryption. Key aliases provide stable references that survive key rotation. Multi-region keys replicate across regions for DR without cross-region key sharing. The key hierarchy balances security isolation with operational simplicity.

Every KMS key has a resource policy defining exactly who can use it and how. Application roles get kms:Encrypt and kms:Decrypt. Key administrators get kms:CreateGrant and kms:DescribeKey. Nobody gets kms:ScheduleKeyDeletion except break-glass roles with multi-party approval. Key policies are defined in Terraform and reviewed in pull requests. We implement condition keys to restrict usage by VPC, service, or encryption context.

Automatic key rotation creates new key material annually while retaining old material for decryption. For higher-frequency rotation, we implement manual rotation with alias swapping. The key lifecycle covers: generation (in KMS, never exported), distribution (via grants and key policies), usage (logged in CloudTrail), rotation (automatic or manual), and retirement (disabled, then scheduled for deletion with 30-day waiting period). Each lifecycle stage is documented and auditable.

For performance and flexibility, we implement envelope encryption: KMS generates a data encryption key (DEK), the DEK encrypts the data locally, and the encrypted DEK is stored alongside the data. Decryption calls KMS to unwrap the DEK, then decrypts locally. This pattern supports: encrypting data larger than the KMS 4KB limit, reducing KMS API calls (and costs), and enabling caching of decrypted DEKs for high-throughput workloads. The AWS Encryption SDK handles envelope encryption transparently.