• Post Reply Bookmark Topic Watch Topic
  • New Topic

AWS KMS Volume Limitations  RSS feed

 
Thillai Sakthi
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a question on Key management service (KMS). I was thinking of using KMS for encrypting data for real time transactions. My idea was to create a Customer Master Key once and then for every transaction request a data key from KMS to encrypt the pay load. But surprisingly there are limits to such request (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html). As my real time service will easily exceed 100 TPS, I cannot use KMS. Any idea how I can work around this limitation ?

Thanks,
 
Winston Gutkowski
Bartender
Posts: 10573
65
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thillai Sakthi wrote:I have a question on Key management service (KMS). I was thinking of using KMS for encrypting data for real time transactions. My idea was to create a Customer Master Key once and then for every transaction request a data key from KMS to encrypt the pay load. But surprisingly there are limits to such request (http://docs.aws.amazon.com/kms/latest/developerguide/limits.html). As my real time service will easily exceed 100 TPS, I cannot use KMS. Any idea how I can work around this limitation ?

Is there any reason you feel you need this? AFAIR, ssh changes symmetric keys automatically after a certain period (or volume; possibly both) and, from what I understand, the protocol is proportional to unencrypted speeds (ie, it doesn't add significant payload weight) - but I could be wrong.

I'm also not exactly sure what your primary concern is here - security or throughput?

Winston
 
Andreas Wittig
Author
Ranch Hand
Posts: 42
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As far as I understand your use case, KMS is not the solution to your problem. KMS is focusing on data at rest. So I guess you need to search for an alternative here.
 
Thillai Sakthi
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Winston Gutkowski wrote:

I'm also not exactly sure what your primary concern is here - security or throughput?

Winston


My primary concern is throughput.
 
Thillai Sakthi
Ranch Hand
Posts: 109
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Andreas Wittig wrote:As far as I understand your use case, KMS is not the solution to your problem. KMS is focusing on data at rest. So I guess you need to search for an alternative here.


Respectfully disagree. As per KMS documentation, they have 2 use cases - one for envelope encryption and this is for real time transaction use case. The other one is the encryption of data at rest.
 
Andreas Wittig
Author
Ranch Hand
Posts: 42
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thillai Sakthi wrote:Respectfully disagree. As per KMS documentation, they have 2 use cases - one for envelope encryption and this is for real time transaction use case. The other one is the encryption of data at rest.


Good point, thanks for correcting me. Haven't looked into envelope encryption so far.
 
Winston Gutkowski
Bartender
Posts: 10573
65
Eclipse IDE Hibernate Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thillai Sakthi wrote:My primary concern is throughput.

I presume then that this stream/pipe is "zipped" in some way. Depending on what you're sending - which you didn't mention - this could increase throughput significantly. It may even be part of some encryption protocols (it's been a long time since I was involved with that stuff).

But that about the limit of my knowledge I'm afraid.

Winston
 
Diana McHenry
Greenhorn
Posts: 11
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Shakthi,

Here are a couple things to consider:

1. Any reason you can't have more than one CMK? Perhaps you could meter requests based on the ID ranges of the clients?
2. If a single CMK is mandatory, you can ask AWS to increase your request-per-second limit (not sure what costs may come into play)

Best of luck!

 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!