All news with #aws kms tag

🧾 Amazon SageMaker HyperPod now supports data capture for inference workloads, allowing organizations to record request and response payloads for monitoring, compliance, debugging, and offline analysis. You can capture traffic at the SageMaker endpoint, load balancer, or model pod and combine layers for richer observability. Captured data is delivered asynchronously to Amazon S3 with configurable sampling and encryption using customer-managed AWS KMS keys and is designed to never block inference. Enable data capture via the HyperPod Inference Operator or SageMaker JumpStart.

🗂️ AWS Transform now supports customer-owned Amazon S3 buckets, letting customers control where transformation artifacts are stored and how they are secured. You can configure your own S3 bucket, optionally encrypt artifacts with your AWS KMS key, and manage access policies in your account. Migration teams can upload files directly and centralize artifacts across accounts to support regulated industries and data sovereignty requirements. This capability is available in all Regions where AWS Transform is offered.

🔒 AWS announced the completion of PCI PIN and PCI P2PE assessments for AWS Payment Cryptography, expanding validations to include Key Management (KMCP) and Key Loading (KLCP) alongside the existing Decryption Management (DMCP). The coverage is extended to South America (São Paulo) and Asia Pacific (Sydney) Regions. These attestations allow customers to use PCI PTS HSM-certified, AWS-managed HSMs with compliant key management to simplify regulated deployments.

🔐 AWS announced support for cross-account key sharing in AWS Payment Cryptography using resource-based policies (RBP). Organizations can now maintain a single authoritative copy of cryptographic keys and grant per-resource access to other AWS accounts—internal or external—without import/export workflows. This reduces duplication, simplifies key lineage and access control, and helps teams scale cryptography operations in cloud-hosted payment applications. The feature is available in all Regions where the service runs; consult the user guide to get started.

🔒 AWS Key Management Service (KMS) now surfaces the timestamp, operation type, and AWS CloudTrail event ID for the last cryptographic operation performed with each KMS key, viewable in the console or via API. This eliminates manual log queries and helps administrators and compliance teams quickly identify unused keys, verify active usage, and trace key activity. A new condition key, kms:TrailingDaysWithoutKeyUsage, enables policy-based protection against accidental deletion of recently used keys, and the capability is available in all AWS Regions including GovCloud and China.

🔁 Quick Automate now supports secure export and import of automation versions across automation groups, AWS accounts, and Regions. The feature packages workflows, runtime configuration, and step metadata into an encrypted link protected by AWS KMS; export links remain valid for 12 hours and are reusable, eliminating repeated exports. It speeds promotion between environments and enables point-in-time snapshots for recovery. Note that connectors, credentials, and human-in-the-loop queues are excluded and must be reconfigured.

🛡️ This AWS Security Blog post demonstrates how to clone an AWS CloudHSM cluster across Regions using the copy-backup-to-region workflow and Client SDK 5 (recommended version 5.17 or later). It walks through creating and initializing a source cluster, generating a backup, copying that backup to a destination Region, and launching a new cluster from the copied backup, including certificate transfer and security group adjustments. The guide emphasizes that non-exportable keys can only be synchronized to cloned clusters, that users and passwords must be maintained manually after the initial backup, and that Client SDK 3 reached end-of-support on January 1, 2025, so migration to SDK 5 is required.

🔒 This post explains how AWS KMS and the AWS Encryption SDK mitigate AES-GCM invocation and data bounds by deriving a fresh symmetric key per encryption using nonce-based KDFs. By producing unique K_d values (via HMAC-SHA256 in KMS and HKDF-SHA512 in the SDK) and using per-invocation IV and frame controls, they prevent (K, IV) reuse and limit exhaustion. Default settings—128- or 256-bit nonces, 96-bit IVs, and 4 KB frames—keep total data and invocation counts well within conservative security margins, reducing the need for manual key rotation and operational tracking.

🏢 Amazon RDS for Oracle is now available on AWS Outposts, enabling customers to run a managed Oracle database service on-premises with the same operational model used in AWS Regions. The offering supports Oracle Database 19c and 21c under a BYOL model and includes automated backups, automated patching, point-in-time recovery, CloudWatch monitoring, and encryption at rest with AWS KMS. It also supports multi-AZ deployments across Outposts racks for high availability and provides options for disaster recovery to the parent AWS Region or across Outposts.

🔐 AWS DataSync now integrates with AWS Secrets Manager for credential management across all DataSync location types, including HDFS and Amazon FSx variants. Customers can centralize secrets in their account and optionally encrypt them with a customer-managed AWS KMS key to meet governance requirements. DataSync supports providing a secret ARN you manage or having DataSync automatically create and manage secrets. This capability is available in the majority of AWS regions where DataSync is offered.

🔐 Amazon Managed Grafana now supports customer-managed keys (CMKs) through AWS Key Management Service (KMS), enabling you to encrypt workspace data with keys you control. Previously, Amazon Managed Grafana used AWS-owned keys by default; this option lets organizations add a self-managed encryption layer to meet compliance and regulatory requirements. The feature is available in all generally available regions except AWS GovCloud (US) Regions.

🔒 You can now change the server-side encryption type of encrypted objects in Amazon S3 without moving data. Use the UpdateObjectEncryption API to atomically change encryption keys across any object size or storage class, and run it at scale with S3 Batch Operations to standardize entire buckets while preserving object properties and Lifecycle eligibility. The capability supports migrating from SSE-S3 to SSE-KMS, swapping customer-managed KMS keys, and enabling S3 Bucket Keys to reduce KMS requests. The API is available in all AWS Regions via the AWS Management Console and SDKs.

🔒 Amazon EMR Serverless now supports encrypting local disks with AWS KMS customer managed keys (CMKs), enabling customers to adopt CMKs instead of default AWS-owned keys for greater encryption control. You can use CMKs from the same account or from another account and apply them at the application level or per job run and interactive session. This capability is supported on new and existing EMR Serverless applications across all supported EMR release versions and is available in all Regions, including AWS GovCloud (US) and China.

🔐 Amazon OpenSearch UI now supports AWS KMS customer managed keys (CMKs) and increases metadata size limits. You can create new OpenSearch UI applications with metadata encrypted using your own CMKs, helping meet regulatory and compliance requirements. The larger metadata limit enables richer, more complex queries, extensive visualizations, and large-scale dashboards. Both features are available in all regions that OpenSearch UI supports.

🔐 AWS announced integration between Oracle Database@AWS and AWS Key Management Service (KMS), enabling KMS to encrypt Oracle Transparent Data Encryption (TDE) master keys. The feature is available in all regions where Oracle Database@AWS runs and incurs only standard KMS charges—there is no additional Oracle Database@AWS fee. Customers gain centralized key control, CloudTrail auditing, and automatic key rotation for TDE keys.

🔐 AWS announced support for post-quantum ML-DSA code signing in AWS Private CA, integrated with AWS KMS. The integration lets customers create ML-DSA X.509 certificate chains and generate KMS-held ML-DSA key pairs to sign binaries, enabling quantum-resistant code-signing, device authentication, and private-PKI workflows such as mTLS or IKEv2/IPsec. A provided Java Runner demonstrates CA creation, CSR issuance, CMS detached signing with SHAKE256, and signature verification against customer-managed roots.

🔐 AWS Key Management Service (KMS) now supports the Edwards-curve Digital Signature Algorithm (EdDSA) using the Ed25519 curve. You can create asymmetric KMS keys or data key pairs to sign and verify EdDSA signatures, benefiting from 128-bit security equivalent to NIST P-256, faster signing, and compact 64‑byte signatures and 32‑byte public keys. This capability is available in all AWS Regions, including GovCloud and China.

🔐 AWS Backup now lets you encrypt logically air-gapped vaults with your own AWS KMS customer managed keys (CMKs). This gives organizations more control over key lifecycle, access policies, and compliance posture while preserving the security benefits of logically air-gapped backups. Support covers same-account and cross-account CMKs and is available in all Regions where air-gapped vaults are supported. You can enable CMK encryption when creating vaults via the console, API, or CLI.

🔐 Amazon RDS for SQL Server now supports encrypting native backup files (.bak) stored in Amazon S3 using server-side encryption with AWS KMS keys (SSE-KMS). By default, native backups remain encrypted with Amazon S3-managed keys (SSE-S3), and customers can opt to apply their own KMS key for additional protection and key control. To enable the feature, update the KMS key policy to grant the RDS backup service access and specify the parameter @enable_bucket_default_encryption in the native backup stored procedure. This capability is available in all AWS Regions where Amazon RDS for SQL Server is offered.

🔐 IAM Identity Center now supports customer-managed AWS KMS keys to encrypt workforce identity data, including user and group attributes. While AWS-owned keys remain the default, a customer-managed key (CMK) lets organizations control key lifecycle, policies, and usage permissions for stronger security and compliance. CMKs can be set when enabling a new organization instance or added to existing ones, and their usage is auditable via AWS CloudTrail. Support is available for access to accounts and select AWS applications across all IAM Identity Center regions; standard KMS charges apply.