< ciso
brief />
Tag Banner

All news with #aws kms tag

31 articles

Amazon S3 delivers server access logs to CloudWatch

๐Ÿ“ฃ Amazon S3 now supports delivering server access logs to Amazon CloudWatch Logs, enabling instant querying, alarms, cross-account and cross-Region aggregation, and AWS KMS encryption for access log data. You can also mirror logs to Amazon S3 Tables in Apache Iceberg format at no additional storage cost. These delivery options complement existing free delivery to S3 buckets and provide more flexibility for monitoring and analysis.
read more โ†’

Amazon Cognito adds customer managed KMS keys

๐Ÿ” Amazon Cognito now supports customer managed keys in AWS Key Management Service (KMS) to encrypt user pool data at rest. While AWS-owned keys remain the default, customer managed keys let organizations control key lifecycle and access policies to meet governance requirements. You can set a key when creating a new user pool or update an existing one, and audit key usage via AWS CloudTrail. Available in Essentials and Plus tiers with standard AWS KMS charges.
read more โ†’

AWS KMS GetKeyLastUsage improves key audits

๐Ÿ” AWS KMS introduced the GetKeyLastUsage API to report the date, time, operation type, CloudTrail event ID, and KMS request ID for the most recent cryptographic operation on a key. The feature works for customer-managed and AWS-managed keys across specs and origins and is visible in the AWS Management Console and AWS CLI. Tracking of last usage began on April 23, 2026 for most Regions, so historical gaps before tracking began should be considered. Use DisableKey, monitoring, and the kms:TrailingDaysWithoutKeyUsage condition to prevent accidental deletions.
read more โ†’

Amazon Quick Research adds customer-managed KMS keys

๐Ÿ”’ Amazon Quick Research now supports encryption using customer-managed keys (CMKs) via AWS Key Management Service, enabling organizations to control encryption, auditing, and key lifecycle. Customers can use multiple CMKs with one default key per AWS account per region and must create CMKs in the same account and region as Quick resources. Only symmetric KMS keys are supported, and CloudTrail integration provides comprehensive audit trails and the ability to revoke compromised keys within 15 minutes. The feature is generally available in all AWS Regions where Amazon Quick is offered.
read more โ†’

Amazon Quick Research adds customer-managed KMS keys

๐Ÿ” Amazon Quick Research now supports customer-managed keys (CMKs) via AWS Key Management Service (KMS), enabling organizations to manage encryption keys for their Quick data. Customer-managed keys provide enhanced control, CloudTrail-based auditing, and the ability to revoke compromised keys within 15 minutes. Only symmetric KMS keys created in the same account and region are supported, with one default CMK per account per region and support for multiple CMKs across datasets.
read more โ†’

SageMaker HyperPod Adds Data Capture for Inference

๐Ÿงพ Amazon SageMaker HyperPod now supports data capture for inference workloads, allowing organizations to record request and response payloads for monitoring, compliance, debugging, and offline analysis. You can capture traffic at the SageMaker endpoint, load balancer, or model pod and combine layers for richer observability. Captured data is delivered asynchronously to Amazon S3 with configurable sampling and encryption using customer-managed AWS KMS keys and is designed to never block inference. Enable data capture via the HyperPod Inference Operator or SageMaker JumpStart.
read more โ†’

AWS Transform Adds Customer-Owned S3 Artifact Storage

๐Ÿ—‚๏ธ AWS Transform now supports customer-owned Amazon S3 buckets, letting customers control where transformation artifacts are stored and how they are secured. You can configure your own S3 bucket, optionally encrypt artifacts with your AWS KMS key, and manage access policies in your account. Migration teams can upload files directly and centralize artifacts across accounts to support regulated industries and data sovereignty requirements. This capability is available in all Regions where AWS Transform is offered.
read more โ†’

AWS Payment Cryptography Achieves PCI PIN and P2PE

๐Ÿ”’ AWS announced the completion of PCI PIN and PCI P2PE assessments for AWS Payment Cryptography, expanding validations to include Key Management (KMCP) and Key Loading (KLCP) alongside the existing Decryption Management (DMCP). The coverage is extended to South America (Sรฃo Paulo) and Asia Pacific (Sydney) Regions. These attestations allow customers to use PCI PTS HSM-certified, AWS-managed HSMs with compliant key management to simplify regulated deployments.
read more โ†’

AWS Payment Cryptography: Cross-Account Key Sharing

๐Ÿ” AWS announced support for cross-account key sharing in AWS Payment Cryptography using resource-based policies (RBP). Organizations can now maintain a single authoritative copy of cryptographic keys and grant per-resource access to other AWS accountsโ€”internal or externalโ€”without import/export workflows. This reduces duplication, simplifies key lineage and access control, and helps teams scale cryptography operations in cloud-hosted payment applications. The feature is available in all Regions where the service runs; consult the user guide to get started.
read more โ†’

AWS KMS Adds Last-Usage Visibility for Keys Across Regions

๐Ÿ”’ AWS Key Management Service (KMS) now surfaces the timestamp, operation type, and AWS CloudTrail event ID for the last cryptographic operation performed with each KMS key, viewable in the console or via API. This eliminates manual log queries and helps administrators and compliance teams quickly identify unused keys, verify active usage, and trace key activity. A new condition key, kms:TrailingDaysWithoutKeyUsage, enables policy-based protection against accidental deletion of recently used keys, and the capability is available in all AWS Regions including GovCloud and China.
read more โ†’

Amazon Quick Automate Adds Export/Import Migration

๐Ÿ” Quick Automate now supports secure export and import of automation versions across automation groups, AWS accounts, and Regions. The feature packages workflows, runtime configuration, and step metadata into an encrypted link protected by AWS KMS; export links remain valid for 12 hours and are reusable, eliminating repeated exports. It speeds promotion between environments and enables point-in-time snapshots for recovery. Note that connectors, credentials, and human-in-the-loop queues are excluded and must be reconfigured.
read more โ†’

Cloning AWS CloudHSM Clusters Across Regions Securely

๐Ÿ›ก๏ธ This AWS Security Blog post demonstrates how to clone an AWS CloudHSM cluster across Regions using the copy-backup-to-region workflow and Client SDK 5 (recommended version 5.17 or later). It walks through creating and initializing a source cluster, generating a backup, copying that backup to a destination Region, and launching a new cluster from the copied backup, including certificate transfer and security group adjustments. The guide emphasizes that non-exportable keys can only be synchronized to cloned clusters, that users and passwords must be maintained manually after the initial backup, and that Client SDK 3 reached end-of-support on January 1, 2025, so migration to SDK 5 is required.
read more โ†’

How AWS KMS and Encryption SDK Avoid AES-GCM Limits

๐Ÿ”’ This post explains how AWS KMS and the AWS Encryption SDK mitigate AES-GCM invocation and data bounds by deriving a fresh symmetric key per encryption using nonce-based KDFs. By producing unique K_d values (via HMAC-SHA256 in KMS and HKDF-SHA512 in the SDK) and using per-invocation IV and frame controls, they prevent (K, IV) reuse and limit exhaustion. Default settingsโ€”128- or 256-bit nonces, 96-bit IVs, and 4 KB framesโ€”keep total data and invocation counts well within conservative security margins, reducing the need for manual key rotation and operational tracking.
read more โ†’

Amazon RDS for Oracle Now Available on AWS Outposts

๐Ÿข Amazon RDS for Oracle is now available on AWS Outposts, enabling customers to run a managed Oracle database service on-premises with the same operational model used in AWS Regions. The offering supports Oracle Database 19c and 21c under a BYOL model and includes automated backups, automated patching, point-in-time recovery, CloudWatch monitoring, and encryption at rest with AWS KMS. It also supports multi-AZ deployments across Outposts racks for high availability and provides options for disaster recovery to the parent AWS Region or across Outposts.
read more โ†’

AWS DataSync Adds Secrets Manager Support for All Locations

๐Ÿ” AWS DataSync now integrates with AWS Secrets Manager for credential management across all DataSync location types, including HDFS and Amazon FSx variants. Customers can centralize secrets in their account and optionally encrypt them with a customer-managed AWS KMS key to meet governance requirements. DataSync supports providing a secret ARN you manage or having DataSync automatically create and manage secrets. This capability is available in the majority of AWS regions where DataSync is offered.
read more โ†’

Amazon Managed Grafana Adds Customer-Managed KMS Keys

๐Ÿ” Amazon Managed Grafana now supports customer-managed keys (CMKs) through AWS Key Management Service (KMS), enabling you to encrypt workspace data with keys you control. Previously, Amazon Managed Grafana used AWS-owned keys by default; this option lets organizations add a self-managed encryption layer to meet compliance and regulatory requirements. The feature is available in all generally available regions except AWS GovCloud (US) Regions.
read more โ†’

Update Server-Side Encryption Type for Amazon S3 Objects

๐Ÿ”’ You can now change the server-side encryption type of encrypted objects in Amazon S3 without moving data. Use the UpdateObjectEncryption API to atomically change encryption keys across any object size or storage class, and run it at scale with S3 Batch Operations to standardize entire buckets while preserving object properties and Lifecycle eligibility. The capability supports migrating from SSE-S3 to SSE-KMS, swapping customer-managed KMS keys, and enabling S3 Bucket Keys to reduce KMS requests. The API is available in all AWS Regions via the AWS Management Console and SDKs.
read more โ†’

EMR Serverless Supports AWS KMS Customer-Managed Keys

๐Ÿ”’ Amazon EMR Serverless now supports encrypting local disks with AWS KMS customer managed keys (CMKs), enabling customers to adopt CMKs instead of default AWS-owned keys for greater encryption control. You can use CMKs from the same account or from another account and apply them at the application level or per job run and interactive session. This capability is supported on new and existing EMR Serverless applications across all supported EMR release versions and is available in all Regions, including AWS GovCloud (US) and China.
read more โ†’

Amazon OpenSearch UI adds CMK support and larger metadata

๐Ÿ” Amazon OpenSearch UI now supports AWS KMS customer managed keys (CMKs) and increases metadata size limits. You can create new OpenSearch UI applications with metadata encrypted using your own CMKs, helping meet regulatory and compliance requirements. The larger metadata limit enables richer, more complex queries, extensive visualizations, and large-scale dashboards. Both features are available in all regions that OpenSearch UI supports.
read more โ†’

Oracle Database@AWS Integrates with AWS KMS for TDE

๐Ÿ” AWS announced integration between Oracle Database@AWS and AWS Key Management Service (KMS), enabling KMS to encrypt Oracle Transparent Data Encryption (TDE) master keys. The feature is available in all regions where Oracle Database@AWS runs and incurs only standard KMS chargesโ€”there is no additional Oracle Database@AWS fee. Customers gain centralized key control, CloudTrail auditing, and automatic key rotation for TDE keys.
read more โ†’