FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 1 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. FIPS 140-3 Non-Proprietary Security Policy AWS Key Management Service HSM Hardware version 3.0, firmware version 1.8.104 Document Version 0.35 October 25, 2024 FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 2 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Table of Contents 1. General.................................................................................................................................................. 4 2. Cryptographic Module Specification .................................................................................................... 5 3. Cryptographic Module Interfaces....................................................................................................... 12 4. Roles, Services, and Authentication ................................................................................................... 13 5. Software/Firmware Security............................................................................................................... 44 6. Operational Environment ................................................................................................................... 45 7. Physical Security ................................................................................................................................. 46 8. Non-invasive Security ......................................................................................................................... 47 9. Sensitive Security Parameters Management...................................................................................... 48 10. Self-Tests............................................................................................................................................. 66 11. Life-cycle Assurance............................................................................................................................ 68 12. Mitigation of Other Attacks................................................................................................................ 69 FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 3 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. List of Tables Table 1 – Security Levels...............................................................................................................................................4 Table 2 - Cryptographic Module Tested Configuration ................................................................................................5 Table 3 –Approved Algorithms .....................................................................................................................................9 Table 4 – Non-Approved Algorithms Allowed in the Approved Mode of Operation ...................................................9 Table 5 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed ........10 Table 6 – Ports and Interfaces ....................................................................................................................................12 Table 7 – Roles and Authentication............................................................................................................................13 Table 8 – Roles, Service Commands, Input and Output .............................................................................................22 Table 9 – Approved Services.......................................................................................................................................42 Table 10 – Physical Security Inspection Guidelines....................................................................................................46 Table 11 – EFP/EFT......................................................................................................................................................46 Table 12 – Hardness Testing Temperature Ranges ....................................................................................................46 Table 13 – SSPs ...........................................................................................................................................................64 Table 14 – Non-Deterministic Random Number Generator Specification.................................................................65 List of Figures Figure 1 – Cryptographic Module Boundary (Front)...................................................................................................11 Figure 2 - Cryptographic Module Boundary (Back) ....................................................................................................11 FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 4 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 1. General This document defines the Non-Proprietary Security Policy for the AWS Key Management Service HSM module by Amazon Web Services, Inc. The module meets the FIPS 140-3 overall Level 3 requirements. Table 1 lists the security level of for each area in the FIPS 140-3 validation: ISO/IEC 24759 Section 6 FIPS 140-3 Section Title Security Level 1 General 3 2 Cryptographic module specification 3 3 Cryptographic module interfaces 3 4 Roles, services, and authentication 3 5 Software/Firmware security 3 6 Operational environment N/A 7 Physical security 3 8 Non-invasive security N/A 9 Sensitive security parameter management 3 10 Self-tests 3 11 Life-cycle assurance 3 12 Mitigation of other attacks N/A Table 1 – Security Levels FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 5 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 2. Cryptographic Module Specification The AWS Key Management Service HSM is used exclusively by AWS as a component of the AWS Key Management Service (KMS). The module is not directly accessible to customers of KMS. The cryptographic functions of the mod- ule are used to fulfill requests under specific public AWS KMS APIs. The module runs firmware versions 1.8.104 on hardware version 3.0 and is classified as a Hardware module with a multi-chip standalone embodiment. The cryptographic boundary is defined as the module case, and the module runs on a non-modifiable operating environment. The module follows the initialization/installation requirements found in Section 11. Model Hardware [Part Number and Ver- sion] Firmware Version Distinguishing Features AWS Key Management Service HSM 3.0 1.8.104 DC power input. No maintenance cover Table 2 - Cryptographic Module Tested Configuration The AWS Key Management Service HSM operates only in an Approved mode of operation. The module does not support any non-approved algorithms not allowed in the Approved mode of operation. The module’s cryptographic algorithm implementations have received the following certificate numbers from the Cryptographic Algorithm Validation Program (CAVP). Although additional modes and key lengths were included in the CAVP algorithm testing, the table below represents the actual modes and key lengths used by the services of the module. CAVP Cert1 Algorithm and Standard Mode/Method Description / Key Size(s) / Key Strength(s) Use / Function AWS Key Management Service Cryptographic Library A1908 AES FIPS 197, SP 800-38A ECB, CBC, CTR Direction: Decrypt, Encrypt Key Length: 128, 256 Encryption, Decryption A1908 GCM2 SP 800-38D AES GCM: Direction: Decrypt, Encrypt IV Generation: External3 IV Generation Mode: 8.2.2 Key Length: 128, 256 Tag Length: 96, 128 IV Length: 96 Payload Length: 64, 128, 192 AAD Length: 128, 256 Generation, Authentica- tion, Encryption, Decryption 1 There are algorithms, modes, and key/moduli sizes that have been CAVP-tested but are not used by any approved service of the module. Only the algorithms, modes/methods, and key lengths/curves/moduli shown in this table are used by an approved service of the module. 2 Per IG C.H (Scenario 2), IVs are internally generated using an approved DRBG, with length of 96 bits (per SP 800-38D). 3 The IV generation is internal to the module, but external to the algorithm boundary FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 6 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. CAVP Cert1 Algorithm and Standard Mode/Method Description / Key Size(s) / Key Strength(s) Use / Function A1908 KTS SP 800-38F per IG D.G AES KWP Direction: Decrypt, Encrypt Cipher: Cipher Key Length: 256 Payload Length: 128, 192, 512 Key Transport using AES KWP A1908 KTS SP 800-38D and SP 800-38F per IG D.G AES GCM Direction: Decrypt, Encrypt Cipher: Cipher Key Length: 256 Payload Length: 160, 256, 384, 512, 2048, 3072, 4096 Key Transport using AES GCM A1908 DRBG SP 800-90A CTR DRBG Capabilities: Mode: AES-256 Derivation Function Enabled: Yes Additional Input: 384 Entropy Input: 384 Nonce: 384 Personalization String Length: 384 Returned Bits: 512 Random Bit Generation A1908 ECDSA FIPS 186-4 KeyGen Curve: P-256, P-384, P-521 Secret Generation Mode: Extra Bits, Testing Candidates Key Pair Generation KeyVer Curve: P-256, P-384, P-521 Public Key Validation SigGen Component Curve: P-256, P-384, P-521 Hash Algorithm: SHA2-256, SHA2-384, SHA2-512 Signature Generation Component SigGen Curve: P-256, P-384, P-521 Hash Algorithm: SHA2-256, SHA2-384, SHA2-512 Signature Generation SigVer Curve: P-256, P-384, P-521 Hash Algorithm: SHA2-256, SHA2-384, SHA2-512 Signature Verification A1908 HMAC FIPS 198-1 SHA-1 MAC: 80-160 Increment 8 Key Length: 160 Generation, Authentica- tion SHA2-256 MAC: 128-256 Increment 8 Key Length: 256 SHA2-384 MAC: 192-384 Increment 8 Key Length: 384 SHA2-512 MAC: 256-512 Increment 8 Key Length: 512 FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 7 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. CAVP Cert1 Algorithm and Standard Mode/Method Description / Key Size(s) / Key Strength(s) Use / Function A1908 RSA FIPS 186-4 KeyGen Capabilities: Key Generation Mode: B.3.3 Properties: Modulo: 2048, 3072, 4096 Primality Tests: Table C.2 Properties: Modulo: 2048, 3072, 4096 Primality Tests: Table C.3 Public Exponent Mode: Random Private Key Format: Chinese Remainder Theorem Key Pair Generation SigGen Signature Type: PKCSPSS Properties: Modulo: 2048, 3072, 4096 (Note: All supported modulus sizes have been algorithm tested according to IG C.F) Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 0 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 0 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 0 Signature Generation SigVer Signature Type: PKCSPSS Properties: Modulo: 2048, 3072, 4096 (Note: All supported modulus sizes have been algorithm tested according to IG C.F) Hash Pair: Hash Algorithm: SHA2-256 Salt Length: 0 Hash Pair: Hash Algorithm: SHA2-384 Salt Length: 0 Hash Pair: Hash Algorithm: SHA2-512 Salt Length: 0 Signature Verification Decryption Primitive Modulo Length: 2048 Component Test Signature Primitive Private Key Format: standard Public Exponent Mode: random Signature Generation Component FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 8 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. CAVP Cert1 Algorithm and Standard Mode/Method Description / Key Size(s) / Key Strength(s) Use / Function A1908 SHS FIPS 180-4 SHA-1 Message Length: 0-65536 Increment 8 non-Digital Signature Applications SHA2-256 Message Length: 0-65536 Increment 8 Digital Signature Gener- ation and Verification SHA2-384 Message Length: 0-65536 Increment 8 Digital Signature Gener- ation and Verification SHA2-512 Message Length: 0-65536 Increment 8 Digital Signature Gener- ation and Verification A1908 KTS-IFC SP 800-56Brev2 per IG D.G RSA-OAEP without key confirmation Key sizes: 2048, 3072, and 4096 bits Hybrid Key-Transport scheme incorporating KTS-OAEP and SP 800- 38F Modulo: 2048, 3072, 4096 Key Generation Methods: rsakpg1-basic, rsakpg1-crt, rsakpg1-prime-factor, rsakpg2- basic, rsakpg2-crt, rsakpg2-prime-factor Scheme: KTS-OAEP-basic: Key Transport Method: Hash Algorithms: SHA-1, SHA2-256 Supports Null Associated Data Associated Data Encoding: concatenation KAS Role: initiator, responder Key Length: 1024 SSP establishment methodology provides between 112 and 150 bits of en- cryption strength Key Transport, Optional RSA encapsula- tion schemes for protecting keys that cus- tomers import into AWS KMS A1908 KAS SP 800-56Arev3 per IG D.F Sce- nario 2, path (2) KAS-ECC (Cofactor) Ephemeral Unified scheme with key confirmation P-384 curve providing 192 bits of encryp- tion strength Key Agreement A1908 KAS SP 800-56Arev3 per IG D.F Sce- nario 2, path (2) KAS-ECC (Cofactor) One-Pass Dif- fie-Hellman scheme with key confirmation P-384 curve providing 192 bits of encryp- tion strength Key Agreement A1908 KDA SP 800-56Crev1 [SP 800-56Crev1] One-step key derivation Auxiliary Function Methods: Auxiliary Function Name: SHA2-256 MAC Salting Methods: default, random Auxiliary Function Methods: Auxiliary Function Name: SHA2-384 MAC Salting Methods: default, random Key Derivation FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 9 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. CAVP Cert1 Algorithm and Standard Mode/Method Description / Key Size(s) / Key Strength(s) Use / Function Vendor Affirmed IG D.H CKG SP 800-133rev2 [SP 800-133rev2, Section 4] Seeding for asymmetric key generation uses un- modified DRBG output [SP 800-133rev2, Section 6.1] Symmetric key genera- tion uses unmodified DRBG output [SP 800-133rev2, Section 6.2] Symmetric keys can be derived N/A Key Generation AWS Key Management Service Key Derivation Function Library A1910 KBKDF SP 800-108 Counter Mode HMAC-based KDF with SHA2-256 Capabilities: KDF Mode: Counter MAC Mode: HMAC-SHA2-256 Supported Lengths: 8-4096 Increment 8 Fixed Data Or- der: Before Fixed Data Counter Length: 32 Supports Empty IV Custom Key In Length: 0 Key Derivation Entropy Source N/A ENT (P) SP 800-90B Entropy source 384 bits Provides seeding mate- rial for the DRBG A1791 Conditioning Components AES-ECB AES-CBC-MAC Counter DRBG Key Length: 128 Payload Length: 128 Provides seeding mate- rial for the DRBG Table 3 –Approved Algorithms Algorithm Caveat Use / Function ECDSA secp256k1 key agreement; key establishment methodol- ogy provides 128 bits of encryption strength [IG C.A] Curves: secp256k1 may only be used in block- chain related applications Table 4 – Non-Approved Algorithms Allowed in the Approved Mode of Operation Algorithm Caveat Use / Function HMAC-SHA1 (non-com- pliant) No security claimed Used as defined by the IPMI specification on the Baseboard Management Controller (BMC) which operates completely independently from the rest of the module’s functionality HMAC-SHA1-96 (non- compliant) No security claimed Used as defined by the IPMI specification on the Baseboard Management Controller (BMC) which operates completely independently from the rest of the module’s functionality FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 10 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Algorithm Caveat Use / Function HMAC-MD5 No security claimed Used as defined by the IPMI specification on the Baseboard Management Controller (BMC) which operates completely independently from the rest of the module’s functionality HMAC-SHA2-256-128 (non-compliant) No security claimed Used as defined by the IPMI specification on the Baseboard Management Controller (BMC) which operates completely independently from the rest of the module’s functionality AES-CBC-128 (non- compliant) No security claimed Used as defined by the IPMI specification on the Baseboard Management Controller (BMC) which operates completely independently from the rest of the module’s functionality Table 5 - Non-Approved Algorithms Allowed in the Approved Mode of Operation with No Security Claimed FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 11 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. The cryptographic boundary consists of the entire module as shown in Figures 1 and 2. Figure 1 – Cryptographic Module Boundary (Front) Figure 2 - Cryptographic Module Boundary (Back) FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 12 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 3. Cryptographic Module Interfaces The module provides a number of physical and logical interfaces to the device, and the physical interfaces provided by the module are mapped to four FIPS 140-3 defined logical interfaces: data input, data output, control input, and status output. The control output interface is not applicable. The logical interfaces and their mapping are provided in the following table: Physical port Logical inter- face Data that passes over port/interface 25 Gigabit Ethernet Port Data Input Main session interface for cryptographic services 25 Gigabit Ethernet Port Data Output Main session interface for cryptographic services 25 Gigabit Ethernet Port Control Input Main session interface for cryptographic services IPMI / Gigabit Ethernet Port Control Input Provides serial console access, query power on / off 25 Gigabit Ethernet Port Status Output Main session interface for cryptographic services IPMI / Gigabit Ethernet Port Status Output Provides serial console access, query power on / off Power Power N/A Table 6 – Ports and Interfaces FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 13 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 4. Roles, Services, and Authentication Operators of the module may assume the following three roles implicitly: KMS Front End Role (KMS-FE) - The KMS front end hosts perform actions on behalf of customers of AWS KMS. KMS Coordinator Role (KMS-C) - Non-public facing KMS hosts perform actions on behalf of KMS administrators in the Administrator Role. Administrator Role (Admin) - Employees of AWS who are authorized to manage the module. For FIPS 140-3 purposes, the KMS Coordinator and Administrator roles serve as the Cryptographic Officer role per FIPS 140-3 requirements. The KMS-Front End role serves as the User role per FIPS 140-3 requirements. The module supports only identity-based authentication and requires RSA or ECDSA signatures using RSA with 2048- bit, 3072-bit, or 4096-bit keys, or ECDSA with P-384. Operators of the module are identified by unique Operator Signature Public Key (QOS). The list of operator keys and the role of each operator are configured using either the Initialize or InitializeAndCreateDomain service. Operators interact with the module by submitting digitally signed commands to the module. The module authenticates operators by verifying the digitally signed commands submit- ted to the module. Role Authentication Method Authentication Strength KMS Front End Role (KMS-FE) Identity based authentication. Com- mands are signed using the operator’s RSA 2048, 3072, 4096 or ECDSA P384 key 112 to 192 bits of security KMS Coordinator Role (KMS-C) Identity based authentication. Com- mands are signed using the operator’s RSA 2048, 3072, 4096 or ECDSA P384 key 112 to 192 bits of security Administrator Role (Admin) Identity based authentication. Com- mands are signed using the operator’s RSA 2048, 3072, 4096 or ECDSA P384 key 112 to 192 bits of security Table 7 – Roles and Authentication The list of services supported by the module are listed in Table 8. Unless otherwise specified, access to services can be configured to require one or more members of one or more roles listed in Table 7. These services are used only by components of KMS to fulfill requests under specific public AWS KMS APIs and cannot be used directly by KMS customers. See http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html for a list of the current pub- lic AWS KMS APIs. Strength of Authentication Authentication to the module requires RSA (2048 or 4096-bit) or ECDSA (P-384) signature verification. These au- thentication methods are cryptographically strong and provide between 112 to 192 bits of security. The possibility of a single random authentication attempt succeeding is 2-112 which is far less than the required minimum of less than 1/1,000,000. FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 14 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Assuming an upper bound of 232 authentication requests per second, the possibility of a random authentication succeeding within a one-minute period is (60*232 )/2112 = 15/278 which is significantly less than 1/100,000. The cryp- tographic strengths of the digital signatures used for authentication create such difficulty in achieving a successful random authentication attempt that even the theoretical maximum bandwidth of the 25 Gb/second Ethernet port is not significant enough to allow enough attempts in a one-minute period. FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 15 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Services Role Service Input Output Cryptographic Services KMS-FE, KMS-C, Admin Create None A HSM Backing Key encrypted with the active Do- main Key (DKn), or An Import Wrapping Key Pair (dIWK, QIWK) The IWK private key is encrypted with the active Do- main Key (DKn) The IWK public key KMS-FE, KMS-C, Admin ImportKey The private key of an Import Wrapping Key Pair (IWK) encrypted with the active or a recent iter- ation of domain key (DKn or DKn-1) Customer Supplied Key (CSK), encrypted with the public key of the Import Wrapping Key. This may use the wrapping methods as defined in section 9.2 or 9.3 of SP 800-56B, using the ephemeral Import Wrapping Envelope Key (IWEK) The Customer Supplied Key, encrypted with the cur- rent active domain key (DKn) KMS-FE, KMS-C, Admin RefreshKey HBK or CSK encrypted with a recent iteration of a Domain Key (DKn-1) HBK or CSK encrypted with the active domain key (DKn) KMS-FE, KMS-C, Admin Encrypt A HBK or CSK encrypted with the active or a re- cent iteration of domain key (DKn or DKn-1) N/A (encrypted ciphertext) KMS-FE, KMS-C, Admin Decrypt A HBK or CSK encrypted with a Domain Key (DKn) Ciphertext or encrypted Customer Data Key (CDK) Customer Data Encryption Public Key (QCDEK) Arbitrary data or CDK encrypted using the HOSK FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 16 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Role Service Input Output KMS-FE, KMS-C, Admin ReEncrypt A HBK or CSK encrypted with the active or a re- cent iteration of domain key (DKn or DKn-1) used to decrypt the provided ciphertext A HBK or CSK encrypted with the active or a re- cent iteration of domain key (DKn or DKn-1) used to encrypt the resulting plaintext Ciphertext or encrypted Customer Data Key (CDK) N/A (encrypted ciphertext) KMS-FE, KMS-C, Admin Sign HBK or CSK encrypted with the active domain key (DKn) None (signature) KMS-FE, KMS-C, Admin Verify HBK or CSK encrypted with the active domain key (DKn) (signature to be verified) None KMS-FE, KMS-C, Admin EncryptRandomBytes HBK or CSK encrypted by the active domain key (DKn) A number of random bytes that may be used as Cus- tomer Data Keys (CDK) encrypted by the HBK or CSK KMS-FE, KMS-C, Admin GenerateAndEncryptRandomBytes HBK or CSK encrypted by the active domain key (DKn) Customer Data Encryption Public Key (QCDEK) A number of random bytes that may be used as Cus- tomer Data Keys (CDK) encrypted by the HOSK A number of random bytes that may be used as Cus- tomer Data Keys (CDK) encrypted by the HBK or CSK KMS-FE, KMS-C, Admin GenerateDataKeyPair HBK or CSK encrypted by the active domain key (DKn) Customer Data Encryption Public Key (QCDEK) An asymmetric Customer Data Key (CDK) private key encrypted by the HOSK An asymmetric Customer Data Key (CDK) private key encrypted by the HBK or CSK KMS-FE, KMS-C, Admin GenerateDataKeyPairWithoutPlaintext HBK or CSK encrypted by the active domain key (DKn) An asymmetric Customer Data Key (CDK) private key encrypted by the HBK or CSK KMS-FE, KMS-C, Admin Generate Customer Data Encryption Public Key (QCDEK) None FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 17 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Role Service Input Output KMS-FE, KMS-C, Admin GetParametersForReplication None Public Replication Agreement Key (QRAK1) Private Replication Agreement Key (dRAK1) en- crypted by the active domain key (DKn) KMS-FE, KMS-C, Admin WrapKeyForReplication Public Replication Agreement Key (QRAK1) HBK encrypted by the active domain key (DKn) Replication Agreement Key Pair (dRAK2, QRAK2) Public Replication Agreement Key (QRAK2) Customer Replicated Key (CRK) encrypted by the Replication Wrapping Key (RWK) KMS-FE, KMS-C, Admin ImportReplicatedKey Private Replication Agreement Key (dRAK1) en- crypted by the active domain key (DKn) Public Replication Agreement Key (QRAK2) Customer Supplied Key (CSK) encrypted by the Replication Wrapping Key (RWK) HBK encrypted by the active domain key (DKn) Customer Replication Key (CRK) Configuration Services KMS-FE, KMS-C, Admin CreateDomain List of Operator Signature Public Keys (QOS) A Domain Token containing: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Initial Domain Key (DK0) • Encrypted Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSK0) • Public Replication Signing Key (QRSK0) FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 18 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Role Service Input Output KMS-FE, KMS-C, Admin IngestDomain A Domain Token containing the following CSPs: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Encrypted Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) Public Replication Signing Key (QRSKn) The unmodified input Domain Token KMS-FE, KMS-C, Admin ForgetDomain A Domain Token containing the following CSPs: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Encrypted Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) Public Replication Signing Key (QRSKn) The unmodified input Domain Token KMS-FE, KMS-C, Admin GetDomain None A Domain Token containing: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Encrypted Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) Public Replication Signing Key (QRSKn) FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 19 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Role Service Input Output KMS-FE, KMS-C, Admin ChangeDomain A Domain Token containing: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Encrypted Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) • Public Replication Signing Key (QRSKn) HSM Signature Public Keys (QHSK) and HSM Key Agreement Public Keys (QHAK) of the domain members to be added (optional) List of Operator Signature Public Keys (QOS) (optional) List of Public Replication Signing Keys (QRSKm, …, QRSKn) (optional) An updated Domain Token containing the following CSPs: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Encrypted Domain Key Encryption Key (DKEK) Encrypted Private Replication Signing Key (dRSKn) Public Replication Signing Key (QRSKn) KMS-FE, KMS-C, Admin Initialize One or more Domain Tokens. Each Domain To- ken contains: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Encrypted Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) Public Replication Signing Key (QRSKn) None FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 20 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Role Service Input Output All (un- authenti cated) InitializeAndCreateDomain List of Operator Signature Public Keys (QOS) A Domain Token containing: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Initial Domain Key (DK0) • Encrypted Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) Public Replication Signing Key (QRSKn) KMS-FE, KMS-C, Admin Attest HSM Signature Key Pair (dHSK, QHSK) Host Agreement Public Key (QHAK) Operator Signature Public Key(s) (QOS) HSM Session Key Encryption Key (HSKEK) HSM-to-Operator Session Key (HOSK) HSM Signature Public Key (QHSK) HSM Agreement Public Key (QHAK) KMS-FE, KMS-C, Admin GetAttestationChallenge None None KMS-FE, KMS-C, Admin GetAttestationIdentity None None All (un- authenti cated) Wipe None None All (un- authenti cated) GetInitialDomainName None None All (un- authenti cated) DeactivateAndReboot None None FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 21 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Role Service Input Output One member from any role NegotiateSessionKey Operator Ephemeral Agreement Public Key (QOEAK) Encrypted HSM-Operator Session Key (HOSK) en- crypted with the Domain Key (DKn) or HSM Session Key Encryption Key (HSKEK) HSM-Operator Session Key (HOSK) encrypted with a 256-bit key derived from the shared secret estab- lished using elliptic curve Diffie Hellman key exchange (NIST-P384) using the HSM Ephemeral Agreement Public Key (QE) and the Operator Ephem- eral Agreement Public Key (QOEAK) HSM Ephemeral Agreement Public Key (QE) KMS-FE, KMS-C, Admin UpdateHostConfiguration None None Audit Log Services KMS-FE, KMS-C, Admin ListLogs None None KMS-FE, KMS-C, Admin GetLog None None KMS-FE, KMS-C, Admin DeleteLog None None Other Services All (un- authenti cated) Ping None Returns “healthy” if the module is operating in Ap- proved mode. Returns “failure” if the module is not operating in Approved mode. All (un- authenti cated) Approved None Returns “healthy” if the module is operating in Ap- proved mode. Returns “failure” if the module is not operating in Approved mode. All (un- authenti cated) Version None Module name, hardware version and firmware ver- sion FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 22 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Role Service Input Output All (un- authenti cated) Hardware monitoring None Hardware sensor data All (un- authenti cated) Power management None None All (un- authenti cated) Serial over LAN (SOL) None None Table 8 – Roles, Service Commands, Input and Output Each approved service provides an indicator when the service utilizes an approved cryptographic algorithm, security function, or process in an ap- proved manner. Per IG 2.4.C, the module implements a global indicator via the “Approved” service which is a persistent indicator that only returns healthy if the module is running in its approved mode of operation where approved services are executing. Approved Services Approved services supported by the module are listed in Table 9. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Create Generates and en- crypts either an HSM Backing Key (HBK) or an Import Wrapping Key Pair (dIWK, QIWK) pri- vate key CTR DRBG AES GCM KBKDF RSA (keygen) ECDSA (keygen) CKG HSM Backing Key IWK public and private keys Active Domain Key (DKn) HSM-to-Operator Session Key (HOSK) DRBG (CTR AES) V and AES key KMS-FE, KMS-C, Admin Generate Read Execute Zeroize “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 23 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator ImportKey Decrypts a Cus- tomer Supplied Key (CSK) and re-en- crypts it with the active Domain Key (DKn) AES GCM KBKDF KTS-IFC (RSA-OAEP) The private key of an Import Wrapping Key Pair (dIWK, QIWK) Customer Supplied Key (CSK) Active Domain Key (DKn) HSM-to-Operator Session Key (HOSK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” RefreshKey Re-encrypts an HSM Backing Key (HBK) key or Cus- tomer Supplied Key (CSK) encrypted with a recent itera- tion of the domain key (DKn-1) with the active domain key (DKn) AES GCM KBKDF HBK or CSK encrypted with a recent itera- tion of a Domain Key (DKn or DKn-1) Active or a recent iteration of Domain Key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” Encrypt Encrypt an arbitrary set of bytes using the DEK derived from the provided HBK or CSK AES GCM A HBK or CSK encrypted with the active or a recent iteration of domain key (DKn or DKn-1) Active or a recent iteration of Domain Key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) Data Encryption Key (DEK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 24 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Decrypt Decrypts ciphertext using the DEK de- rived from the provided HBK or CSK AES GCM A HBK or CSK encrypted with a Domain Key (DKn) Ciphertext or encrypted Customer Data Key (CDK) Arbitrary data or CDK encrypted using the HOSK Active or a recent iteration of domain key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) Data Encryption Key (DEK) Customer Data Encryption Public Key (QCDEK) Customer Data Encryption Symmetric Key (SCDEK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write Generate “healthy” ReEncrypt Decrypts ciphertext using the DEK de- rived from the provided HBK or CSK, then re-en- crypts the resulting plaintext under the DEK from a sepa- rately provided HBK or CSK This operation does not expose the plaintext AES GCM A HBK or CSK encrypted with the active or a recent iteration of domain key (DKn or DKn-1) used to decrypt the provided cipher- text A HBK or CSK encrypted with the active or a recent iteration of domain key (DKn or DKn-1) used to encrypt the resulting plaintext Ciphertext or encrypted Customer Data Key (CDK) Active or a recent iteration of Domain Key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) Data Encryption Key (DEK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 25 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Sign Performs an ECDSA or RSA sign opera- tion, or HMAC operation using the provided HBK or CSK CTR DRBG AES GCM RSA ECDSA SHS HMAC HBK or CSK encrypted with the active do- main key (DKn) Domain Key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) DRBG (CTR AES) V and AES key KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” Verify Performs an ECDSA or RSA verify, or HMAC operation using the provided HBK or CSK AES GCM RSA ECDSA SHS HMAC HBK or CSK encrypted with the active do- main key (DKn) Domain Key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” EncryptRan- domBytes Generate a number of random bytes and encrypt it using the DEK derived from the specified HBK or CSK The random bytes may be used as cryptographic key material as Cus- tomer Data Keys (CDK) CTR DRBG AES GCM CKG HBK or CSK encrypted with the active do- main key (DKn) A number of random bytes that may be used as Customer Data Keys (CDK) en- crypted by the HBK or CSK Domain Key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) DRBG (CTR AES) V and AES key Data Encryption Key (DEK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 26 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator GenerateAndEn- cryptRandomBytes Generate a number of random bytes for use and encrypt it using the DEK de- rived from the specified HBK or CSK The random bytes may be used as cryptographic key material as Cus- tomer Data Keys (CDK) Note that the Gen- erateAndEncryptRa ndomBytes API will return encrypted versions of the ran- dom bytes in 2 forms CTR DRBG AES GCM CKG HBK or CSK encrypted with the active do- main key (DKn) A number of random bytes that may be used as Customer Data Keys (CDK) en- crypted by the HBK or CSK A number of random bytes that may be used as Customer Data Keys (CDK) en- crypted by the HOSK Domain Key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) DRBG (CTR AES) V and AES key Data Encryption Key (DEK) Customer Data Encryption Public Key (QCDEK) Customer Data Encryption Symmetric Key (SCDEK) KMS-FE, KMS-C, Admin Generate Read Execute Zeroize Write “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 27 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator GenerateDataKey- Pair Generate an asym- metric key pair and encrypt it with the specified HBK or CSK The asymmet- ric key pair will be used as crypto- graphic key material as Cus- tomer Data Keys (CDK) Note that the Gen- erateDataKeyPair API will return en- crypted versions of the CDK in 2 forms CTR DRBG RSA (keygen) ECDSA (keygen) AES GCM CKG HBK or CSK encrypted by the active do- main key (DKn) An asymmetric Customer Data Key (CDK) private key encrypted by the HOSK An asymmetric Customer Data Key (CDK) private key encrypted by the HBK or CSK Active or a recent iteration of domain key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) DRBG (CTR AES) V and AES key Customer Data Encryption Public Key (QCDEK) Customer Data Encryption Symmetric Key (SCDEK) KMS-FE, KMS-C, Admin Generate Read Execute Zeroize Write “healthy” GenerateDataKey- PairWithoutPlainte xt Generate an asym- metric key pair and encrypt it with the specified HBK or CSK The asymmet- ric key pair will be used as crypto- graphic key material as Cus- tomer Data Keys (CDK) CTR DRBG RSA (keygen) ECDSA (keygen) AES GCM CKG HBK or CSK encrypted by the active do- main key (DKn) An asymmetric Customer Data Key (CDK) private key encrypted by the HBK or CSK Active or a recent iteration of domain key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) DRBG (CTR AES) V and AES key KMS-FE, KMS-C, Admin Generate Read Execute Zeroize Write “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 28 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Generate Generate a speci- fied number of random bytes, up to 1024 bytes CTR DRBG AES GCM CKG HSM-to-Operator Session Key (HOSK) DRBG (CTR AES) V and AES key Customer Data Encryption Public Key (QCDEK) Customer Data Encryption Symmetric Key (SCDEK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” GetParameters- ForReplication This API generates a new Replication Agreement Key Pair (dRAK1, QRAK1) The Private Replica- tion Agreement Key (dRAK1) is en- crypted with the domain key (DKn) The API also signs all output with the Private Replication Signing Key (dRSKn or dRSKn-1) CTR DRBG ECDSA (keygen) AES GCM CKG Public Replication Agreement Key (QRAK1) Private Replication Agreement Key (dRAK1) encrypted by the active domain key (DKn) Replication Agreement Key Pair (dRAK1, QRAK1) HSM-to-Operator Session Key (HOSK) Active or a recent iteration of domain key (DKn or DKn-1) Active or a recent iteration of a Private Replication Signing Key (dRSKn or dRSKn-1) DRBG (CTR AES) V and AES key KMS-FE, KMS-C, Admin Generate Read Execute Zeroize “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 29 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator WrapKeyForRepli- cation This API takes an in- put a public Replication Agree- ment Key (QRAK1) generated from an HSM, and gener- ates a new Replication Agree- ment Key pair (dRAK2, QRAK2) QRAK1 and dRAK2 are combined using the Diffie-Hellmann key exchange to produce a shared secret and derive a symmetric secret key (the Replication Wrapping Key, RWK) The RWK is then used to encrypt an HBK, resulting in a Customer Repli- cated Key (CRK) KAS (ECCDH) KDA (one-step KDF SHA2) AES GCM ECDSA Public Replication Agreement Key (QRAK1) HBK encrypted by the active domain key (DKn) Replication Agreement Key Pair (dRAK2, QRAK2) Public Replication Agreement Key (QRAK2) Customer Replicated Key (CRK) encrypted by the Replication Wrapping Key (RWK) HSM-to-Operator Session Key (HOSK) Active or a recent iteration of domain key (DKn or DKn-1) Active or a recent iteration of the Private Replication Signing Key (dRSKn or dRSKn-1) Active or a recent iteration of the Public Replication Singing Key (QRSKn or QRSKn-1) Replication Agreement RWK Shared Secret Z (RRZ) Customer Replication Key (CRK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 30 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator ImportReplicat- edKey This API combines two Replication Agreement Key (dRAK1 and QRAK2) using the Diffie- Hellmann key ex- change to produce a shared secret and derive a Replication Wrapping Key (RWK) The RWK is used to decrypt the Cus- tomer Replicated Key (CRK), obtain- ing an HBK, which is then re-encrypted using the Domain Key (DKn) The API also vali- dates input using the Public Replica- tion Signing Key (QRSKn or QRSKn-1) KAS (ECCDH) KDA (one-step KDF SHA2) AES GCM ECDSA SHS Private Replication Agreement Key (dRAK1) encrypted by the active domain key (DKn) Public Replication Agreement Key (QRAK2) Customer Supplied Key (CSK) encrypted by the Replication Wrapping Key (RWK) HBK encrypted by the active domain key (DKn) HSM-to-Operator Session Key (HOSK) Active or a recent iteration of domain key (DKn or DKn-1) Active or a recent iteration of the Public Replication Singing Key (QRSKn or QRSKn-1) Replication Agreement RWK Shared Secret Z (RRZ) Customer Replication Key (CRK) KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 31 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator CreateDomain Creates a new do- main token for a new domain, but does not join the HSM to the domain yet CTR DRBG KAS (ECCDH) KDA (one-step KDF SHA2) AES GCM ECDSA RSA SHS List of Operator Signature Public Keys (QOS) HSM Signature Key Pair (dHSK, QHSK) HSM Agreement Key Pair (dHAK, QHAK) HSM Agreement DKEK Shared Secret Z (HDKZ) HSM Agreement DKEK Wrapping Key (HDWK) Initial Domain Key (DK0) Replication Signing Key (dRSK0, QRSK0) A Domain Token containing: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Initial Domain Key (DK0) • Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSK0) • Public Replication Signing Key (QRSK0) • DRBG (CTR AES) V and AES key KMS-FE, KMS-C, Admin Generate Read Execute Zeroize “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 32 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. IngestDomain Joins a domain or receive an updated domain token CTR DRBG KAS (ECCDH) (one-step KDF SHA2) AES GCM ECDSA RSA SHA2 A Domain Token containing the following CSPs: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) • Public Replication Signing Key (QRSKn) HSM Signature Public Key (QHSK) of a known member of the domain HSM Agreement Private Key (dHAK) HSM Agreement DKEK Shared Secret Z (HDKZ) HSM Agreement DKEK Wrapping Key (HDWK) Operator Signature Public Keys (QOS) Domain Key (DKn) Operator Signature Public Keys (QOS) HSM Signature Public Keys (QHSK) of all members of the domain HSM Key Agreement Public Keys (QHAK) of all members of the domain Encrypted Private Replication Signing Key (dRSKn) Public Replication Signing Key (QRSKn) DRBG (CTR AES) V and AES key KMS-FE, KMS-C, Admin Read Execute Zeroize Write “healthy” ForgetDomain Deletes domain in- formation as it pertains to a ECDSA RSA A Domain Token containing the following CSPs: KMS-FE, KMS-C, Admin Read Execute “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 33 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator particular domain on the module in- cluding all Domain Keys (DKn, DKn-1), effectively leaving the domain SHA2 • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) • Public Replication Signing Key (QRSKn) Domain Key (DKn) Operator Signature Public Keys (QOS) HSM Signature Public Keys (QHSK) of all members of the domain HSM Key Agreement Public Keys (QHAK) of all members of the domain Zeroize GetDomain Retrieves the cur- rent version of the domain token for a specified domain ECDSA RSA SHA2 A Domain Token containing: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) • Public Replication Signing Key (QRSKn) Domain Key (DKn) Operator Signature Public Keys (QOS) KMS-FE, KMS-C, Admin Read Execute Zeroize “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 34 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator ChangeDomain Modifies the cur- rent state of an operational domain CTR DRBG KAS (ECCDH) (one-step KDF SHA2) AES GCM ECDSA RSA SHA2 A Domain Token containing: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) • Public Replication Signing Key (QRSKn) HSM Signature Public Keys (QHSK) and HSM Key Agreement Public Keys (QHAK) of the domain members to be added (op- tional) List of Operator Signature Public Keys (QOS) (optional) List of Public Replication Signing Keys (QRSKm, …, QRSKn) (optional) Domain Key Encrypting Key (DKEK) Domain Key (DKn) HSM Ephemeral Agreement Key Pair (dE, QE) HSM Agreement Key (HAK) HSM Signature Key (HSK) DRBG (CTR AES) V and AES key KMS-FE, KMS-C, Admin Generate Read Execute Zeroize Write “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 35 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Initialize Initializes the HSM by generating the HSM Signature Key and HSM Agree- ment Key and configuring the HSM’s operator and access control using a domain token from another HSM The Initialize API is only used during the module setup and initialization process If the HSM is already initialized by a call to either the Initialize or Ini- tializeAndCreateDo main API, the Ini- tialize API will return an error as the HSM cannot be Initialized again without a reboot CTR DRBG ECDSA (keygen, sign) KAS (EC CDH) (one-step KDF SHA2) AES GCM CKG One or more Domain Tokens. Each Domain Token contains: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Domain Keys (DKn) • Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) • Public Replication Signing Key (QRSKn) HSM Signature Key (HSK) HSM Agreement Key (HAK) HSM Agreement HSKEK Shared Secret Z (HHKZ) HSM Session Key Encryption Key (HSKEK) Operator Signature Public Keys (QOS) DRBG (CTR AES) V and AES key DRBG (CTR AES) Seed Entropy Input String All / unauthenti- cated Generate Read Execute Zeroize “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 36 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator InitializeAndCre- ateDomain Initializes the HSM by generating the HSM Signature Key and HSM Agree- ment Key, configuring the list of operators, roles and the quorum- based access con- trol ruleset for all services / APIs The Initialize- AndCreateDomain API is only used during the module setup and initializa- tion process If the HSM is al- ready initialized by a call to either the Initialize or Initializ- eAndCreateDomain API, the Initialize- AndCreateDomain API will return an error as the HSM cannot be Initial- ized again without a reboot CTR DRBG ECDSA (keygen, sign) KAS (EC-CDH) (one-step KDF SHA2) AES GCM CKG List of Operator Signature Public Keys (QOS) HSM Signature Key Pair (dHSK, QHSK) HSM Agreement Key Pair (dHAK, QHAK) HSM Agreement DKEK Shared Secret Z (HDKZ) HSM Agreement DKEK Wrapping Key (HDWK) HSM Agreement HSKEK Shared Secret Z (HHKZ) HSM Session Key Encryption Key (HSKEK) Initial Domain Key (DK0) A Domain Token containing: • List of Operator Signature Public Keys (QOS) • List of HSM Signature Public Keys (QHSK) of all members of the domain • List of HSM Key Agreement Public Keys (QHAK) of all members of the domain • Encrypted Initial Domain Key (DK0) • Domain Key Encryption Key (DKEK) • Encrypted Private Replication Signing Key (dRSKn) • Public Replication Signing Key (QRSKn) DRBG (CTR AES) V and AES key All / unauthenti- cated Generate Read Execute Zeroize “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 37 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Attest The Attest API is used by operators to attest an initial- ized HSM to ensure that the system is running the correct software, and to obtain an authentic copy of its creden- tials prior to being added to a domain CTR DRBG ECDSA (verify) SHA2 AES GCM HSM Signature Public Key (QHSK) HSM Agreement Public Key (QHAK) HSM Signature Key Pair (dHSK, QHSK) Operator Signature Public Key(s) (QOS) HSM Agreement HSKEK Shared Secret Z (HHKZ) HSM Session Key Encryption Key (HSKEK) HSM-to-Operator Session Key (HOSK) DRBG (CTR AES) V and AES key KMS-FE, KMS-C, Admin Read Execute Zeroize “healthy” GetAttestationChal- lenge The GetAttestation- Challenge API is used by operators to retrieve a token that can be used to validate the identity of another HSM AES GCM Active or a recent iteration of Domain Key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) KMS-FE, KMS-C, Admin Read Execute Zeroize “healthy” GetAttestationIden- tity The GetAttesta- tionIdentity API is used by operators to retrieve infor- mation to attest the identity of the HSM AES GCM Active or a recent iteration of Domain Key (DKn or DKn-1) HSM-to-Operator Session Key (HOSK) KMS-FE, KMS-C, Admin Read Execute Zeroize “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 38 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Wipe The Wipe API will delete the HSM Sig- nature Key and HSM Agreement Key from volatile memory The Wipe API will fail unless all previ- ously created domains in the module have been deleted using the ForgetDomain API N/A HSM Signature Key Pair (dHSK, QHSK) HSM Agreement Key Pair (dHAK, QHAK) HSM Session Key Encryption Key (HSKEK) All / unauthenti- cated Zeroize “healthy” GetInitialDomain- Name Retrieves the initial domain name from an initialized HSM that is used as part of the domain crea- tion bootstrap process N/A N/A All / unauthenti- cated N/A “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 39 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator DeactivateAndRe- boot The Deactivate- AndReboot API returns the HSM to the factory state and reboots after verifying the HSM Signature Key and HSM Agreement Key have been de- leted by the Wipe API (The module will perform self-tests after during reboot process) N/A N/A All / unauthenti- cated N/A “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 40 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator NegotiateSes- sionKey Uses a set of iden- tity keys to securely negotiate a session key that can be used between a KMS host and any HSM in the domain The NegotiateSes- sionKey API will return encrypted versions of the HSM-Operator Ses- sion Key (HOSK) in 2 forms CTR DRBG RSA (verify) ECDSA (verify) SHA2 KAS (ECCDH) (one-step KDF SHA2) AES GCM Operator Ephemeral Agreement Public Key (QOEAK) HSM Ephemeral Agreement Key Pair (dE, QE) HSM-Operator Session Key (HOSK) Encrypted HSM-Operator Session Key (HOSK) encrypted with the Domain Key (DKn) or HSM Session Key Encryption Key (HSKEK) HSM-Operator Session Key (HOSK) en- crypted with a 256 bit key derived from the shared secret established using elliptic curve Diffie Hellman key exchange (NIST- P384) using the HSM Ephemeral Agree- ment Key (QE) and the Operator Ephemeral Agreement Public Key (QOEAK) HSM Ephemeral Agreement Public Key (QE) Operator Signature Public Key (QOS) HSM Signature Key (dHSK) DRBG (CTR AES) V and AES key One member from any role Generate Read Execute Zeroize “healthy” UpdateHostConfig- uration Allows updates of non-security-rele- vant host configuration RSA (verify) ECDSA (verify) SHA2 Operator Signature Public Key (QOS) KMS-FE, KMS-C, Admin Execute “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 41 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator ListLogs Returns a list of au- dit log file names RSA (verify) ECDSA (verify) SHA2 Operator Signature Public Key (QOS) KMS-FE, KMS-C, Admin Execute “healthy” GetLog Retrieves specified audit log files RSA (verify) ECDSA (verify) SHA2 Operator Signature Public Key (QOS) KMS-FE, KMS-C, Admin Execute “healthy” DeleteLog Deletes specified audit log file RSA (verify) ECDSA (verify) SHA2 Operator Signature Public Key (QOS) KMS-FE, KMS-C, Admin Execute “healthy” Ping Returns “healthy” if the module is ini- tialized and has ingested a domain Returns “failure” otherwise N/A N/A All / unauthenti- cated None “healthy” Approved Approved mode in- dicator that apply to approved ser- vices on the 25G Ethernet port Returns “healthy” if the module is oper- ating in Approved mode Returns “failure” if the module is not operating in Ap- proved mode N/A N/A All / unauthenti- cated None “healthy” FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 42 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Service Description Approved Security Functions Keys and/or SSPs Roles Access rights to Keys and/or SSPs Indicator Version Returns the module name, hardware version and firm- ware version N/A N/A All / unauthenti- cated None N/A Hardware monitor- ing Provide access via IPMI to hardware sensor data to monitor tempera- tures, fan speed, etc None N/A All / unauthenti- cated None Successful comple- tion of service Power manage- ment Turns on and off the module via IPMI None N/A All / unauthenti- cated None Successful comple- tion of service Serial over LAN (SOL) Provides access to the module’s con- sole before the module enters Ap- proved mode via IPMI In Approved mode, the SOL link is ac- tive but the module firmware blocks all input commands and status output to the console None N/A All / unauthenti- cated None Successful comple- tion of service Table 9 – Approved Services G = Generate: The module generates or derives the SSP. R = Read: The SSP is read from the module (e.g. the SSP is output). FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 43 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. W = Write: The SSP is updated, imported, or written to the module. E = Execute: The module uses the SSP in performing a cryptographic operation. Z = Zeroise: The module zeroises the SSP. FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 44 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 5. Software/Firmware Security The module performs integrity check on all firmware components using a 256-bit error detection code (EDC) on all module components. The integrity check is performed upon the initialization of the module and does not require operator intervention to run. If the check fails, the module will enter into an error state. The module does not support firmware loading. The operator can run the integrity test on demand by rebooting the module using the DeactivateAndReboot API. FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 45 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 6. Operational Environment The module has a non-modifiable operational environment and does not allow loading of any additional firmware while the module is operating in Approved mode. FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 46 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 7. Physical Security The module is a hardware module with a multiple-chip standalone embodiment and conforms to the Level 3 re- quirements for physical security. The module’s production-grade enclosure is made of hard metal, and the enclosure does not provide a removable cover. The baffles installed by AWS satisfy FIPS 140-3 requirements for module opacity and probing. Physical Security Mechanism Recommended Frequency of Inspec- tion/Test Inspection/Test Guidance Details Tamper-evident physical enclosure with no removable cover Inspect when the module unexpectedly re- boots or becomes unresponsive Inspect the physical enclosure for evidence of tampering, such as dents, signs of drilling or prying, cracks in the hard plastic portion of the enclosure Table 10 – Physical Security Inspection Guidelines The module supports environments failure protection and shuts down if the temperature or voltage is outside of the values described in Table 11. Temperature or voltage measurement Specify EFP or EFT Specify if this condition results in a shutdown or zeroisation Low Temperature - 8 °C EFP Shutdown High Temperature 54 °C EFP Shutdown Low Voltage 10 V EFP Shutdown High Voltage 14 V EFP Shutdown Table 11 – EFP/EFT Hardness tested temperature measurement Low Temperature - 8 °C High Temperature 52 °C Table 12 – Hardness Testing Temperature Ranges FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 47 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 8. Non-invasive Security This section is not applicable. The module does not implement non-invasive attack mitigation techniques. FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 48 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 9. Sensitive Security Parameters Management Table 13 provides a complete list of Critical Security Parameters used within the module. All keys and SSPs are zeroized by powering off the module. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys HSM Backing Key (HBK) CSP/PSP 256 bits (AES) 160-256 bits (HMAC) 112 – 128 bits (RSA 2048, 3072 or 4096 bits) 128 – 256 bits (ECDSA P-256, P-384, P-521, or secp256k1) AES GCM RSA ECDSA HMAC (A1908) CKG Internally using DRBG or im- ported from another mem- ber of a Domain Input: En- crypted with the Domain Key us- ing AES GCM (electronically) Output: En- crypted with the Domain Key us- ing AES GCM (electronically) N/A Volatile memory Overwrite with all zeros Used as input to a SP 800-108 KBKDF to derive the DEK FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 49 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Customer Data Key (CDK) CSP/PSP For symmetric keys, random bits length spec- ified by customer (in the range of 8 bits to 65536 bits) 112 – 128 bits (RSA 2048, 3072 or 4096 bits) 128 – 256 bits (ECDSA P-256, P-384, P-521, or secp256k1) AES RSA ECDSA (A1908) CKG Internally using DRBG or im- ported from another mem- ber of a Domain Input: En- crypted using AES GCM with the DEK derived from an HBK or CSK (electroni- cally) Output: En- crypted in 2 forms by the GenerateAndEn- cryptRandomBy tes and Gener- ateDataKeyPair APIs: 1. Encrypted with the DEK derived from an HBK or CSK; and 2. Encrypted with the HOSK to provide se- cure transport to the request- ing service operator/role EncryptRan- domBytes and Generate- DataKeyPairWit houtPlaintext APIs export the CDK encrypted with the DEK from an HBK or CSK (electroni- cally) N/A Volatile memory Overwriting with all zeros Used outside of the module FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 50 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Data Encryption Key (DEK) CSP 256 bits (AES) AES GCM (A1908) Derived inter- nally using SP 800-108 KBKDF Input: N/A Output: N/A N/A Volatile memory Overwriting with all zeros The DEK is de- rived from either the HBK or CSK and is used to encrypt the CDK HSM Agreement Key Pair (dHAK, QHAK) CSP/PSP 192 bits (ECDH P384) KAS (A1908) CKG Internally using DRBG Input: N/A Output: The public key (QHAK) is ex- ported in plaintext (elec- tronically) N/A Volatile memory Overwriting with all zeros The dHAK/QHAK are used in key agreement oper- ations to encrypt the DKEK HSM Ephemeral Agreement Key Pair (dE, QE) CSP/PSP 192 bits (ECDH P384) KAS (A1908) Internally using DRBG Input: N/A Output: The public key (QE) is exported in plaintext (elec- tronically) N/A Volatile memory Overwriting with all zeros The dE/QE is used in key agreement oper- ations to encrypt the DKEK HSM Agreement DKEK Shared Se- cret Z (HDKZ) CSP 192 bits (ECDH P384) KAS (A1908) N/A N/A KAS (SP 800- 56Arev3) (Cofactor) One- Pass Diffie-Hell- man (ECC CDH) scheme with key confirma- tion Volatile memory Overwriting with all zeros The HDKZ is the shared secret value Z com- puted using the HSM Agreement Key (dHAK) and the HSM Ephem- eral Agreement Key (QE) The HDKZ is used to derive the HDWK FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 51 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys HSM Agreement DKEK Wrapping Key (HDWK) CSP 256 bits (One-Step KDF SHA2-256) KDA (A1908) N/A N/A KAS (SP 800- 56Arev3) (Cofactor) One- Pass Diffie-Hell- man (ECC CDH) scheme with key confirma- tion Volatile memory Overwriting with all zeros The HDWK is de- rived from the HDKZ and is used to wrap the DKEK FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 52 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Domain Key En- cryption Key (DKEK) CSP 256 bits (AES) AES GCM (A1908) Internally using DRBG or im- ported from another mem- ber of a Domain Input: The DKEK is encrypted with the HDWK derived using the shared se- cret (HDKZ) generated from the HSM’s Key Agreement Key (QHAK) and an- other HSM’s Ephemeral Key Agreement Key (dE) (electroni- cally) Output: The DKEK is en- crypted with the HDWK derived using the shared secret (HDKZ) generated from the HSM’s Key Agreement Key (dHAK) and an- other HSM’s Ephemeral Key Agreement Key (QE) (electroni- cally) KAS (SP 800- 56Arev3) (Cofactor) One- Pass Diffie-Hell- man (ECC CDH) scheme with key confirma- tion KTS (SP 800- 38F) Volatile memory Overwriting with all zeros The DKEK is used to encrypt the DKn when im- ported to other members of a Domain FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 53 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Domain Key (DKn) CSP 256 bits (AES) AES GCM (A1908) KBKDF (A1910) Internally using DRBG or im- ported from another mem- ber of a Domain Input: DKn en- crypted with the DKEK and may be imported from other members of a Domain (elec- tronically) Output: DKn en- crypted with the DKEK and may be exported to other members of a Domain (electronically) N/A Volatile memory Overwriting with all zeros Keys derived from the DKn are used to encrypt HBKs and CSKs HSM Agreement HSKEK Shared Secret Z (HHKZ) CSP 192 bits (ECDH P384) KAS (A1908) N/A N/A KAS (SP 800- 56Arev3) (Cofactor) One- Pass Diffie-Hell- man (ECC CDH) scheme with key confirma- tion Volatile memory Overwriting with all zeros The HHKZ is the shared secret value Z com- puted using the HSM Agreement Key (dHAK) and the Operator Ephemeral Agreement Pub- lic Key (QOEAK) The HHKZ is used to derive the HSKEK FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 54 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys HSM Session Key Encryption Key (HSKEK) CSP 256 bits (AES) AES GCM (A1908) Internally using DRBG Input: N/A Output: N/A KAS (SP 800- 56Arev3) (Cofactor) One- Pass Diffie-Hell- man (ECC CDH) scheme with key confirma- tion Volatile memory Overwriting with all zeros The HSKEK en- crypts the HSM- Operator Session Key (HOSK) for the following op- erations: Initialize, Ini- tializeAndCreate Domain, Attest, GetAttesta- tionIdentity, and Wipe HSM Signature Key Pair (dHSK, QHSK) CSP/PSP 192 bits (ECDSA P384) ECDSA (A1908) CKG Internally using DRBG Input: N/A Output: The public key (QHSK) is ex- ported in plaintext (elec- tronically) N/A Volatile memory Overwriting with all zeros The dHSK is used to sign data cre- ated on the HSM FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 55 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. HSM-Operator Session Key (HOSK) CSP 256 bits (AES) AES GCM (A1908) Internally using DRBG, or im- ported from an HSM that is a member of the same domain Input: The HOSK is input en- crypted with the domain key (DKn) (electroni- cally) Output: The HOSK is en- crypted in two forms to be out- put The first form is encrypted with either the Do- main Key (DKn) or the HSM Ses- sion Key Encryption Key (HSKEK) using AES GCM (elec- tronically) The second form is en- crypted using AES GCM with a 256-bit key de- rived from the shared secret established us- ing elliptic curve Diffie-Hellman key exchange (NIST-P384) us- ing the HSM Ephemeral Agreement Key Pair (dE,QE) and the Operator Ephemeral Agreement Pub- lic Key (dOEAK, KAS (SP 800- 56Arev3) (Cofactor) One- Pass Diffie-Hell- man (ECC CDH) scheme with key confirma- tion KTS (SP 800- 38F) Volatile memory Overwriting with all zeros The HOSK is used to encrypt communications between a user and HSMs in the same Domain FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 56 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys QOEAK) (elec- tronically) Import Wrap- ping Key Pair (dIWK, QIWK) CSP/PSP 112 – 128 bits (RSA 2048, 3072 or 4096 bits) KTS (RSA-OAEP) (A1908) Internally using DRBG or im- ported from another mem- ber of a Domain Input: The pri- vate key (dIWK) is encrypted with the Do- main Key (DKn) using AES-GCM for input (elec- tronically) Output: the pri- vate key (dIWK) is encrypted with the Do- main Key (DKn) using AES-GCM. The public key (QIWK) is ex- ported in plaintext (elec- tronically) N/A Volatile memory Overwriting with all zeros The public key is used by custom- ers of KMS to wrap their CSK for import via the public AWS KMS API FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 57 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Import Wrap- ping Envelope Key (IWEK) CSP 256 bits (AES) AES KWP (A1908) Externally by AWS KMS cus- tomers Input: IWEK is encrypted using the Import Wrapping Key (QIWK) when used with the ImportKey API when the cus- tomer imports a CSK into the AWS KMS sys- tem (electronically) Output: N/A KTS-RSA Volatile memory Overwriting with all zeros This key is gener- ated by a customer exter- nal to the AWS KMS system and is used to en- crypt CSKs for the ImportKey API when AES- KWP is used per SP 800-56B FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 58 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Customer Sup- plied Key (CSK) CSP/PSP 256 bits (AES) 160-256 bits (HMAC) 112 – 128 bits (RSA 2048, 3072 or 4096 bits) 128 – 256 bits (ECDSA P-256, P-384, P-521, or secp256k1) AES GCM HMAC RSA ECDSA (A1908) Externally by AWS KMS cus- tomers Input: CSK is en- crypted using Import Wrap- ping Key (QIWK) (and, optionally, the ephemeral Import Wrap- ping Envelope Key (IWEK)) when used with the ImportKey API when the customer im- ports the key into the AWS KMS system After import, the CSK is en- crypted with the Domain Key us- ing AES GCM (electronically) Output: CSK en- crypted by a Domain Key (DKn) (electroni- cally) KTS-OAEP with- out key confirmation KTS-RSA Hybrid Key-Transport scheme incorpo- rating KTS-OAEP and SP 800-38F Volatile memory Overwriting with all zeros This key is gener- ated by a customer of KMS outside the AWS KMS system to sign or encrypt plaintext It can also be used to encrypt CDKs Entropy Input String CSP 384 bits Random Num- ber Generation ENT (P) Internal entropy source Input: N/A Output: N/A N/A Volatile memory Overwriting with all zeros Random Num- ber Generation FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 59 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys DRBG (CTR AES) V and AES key CSP SP 800-90A CTR DRBG V (128 bits) AES key (256 bits) DRBG AES CTR AES-ECB (A1908) Internal entropy source Input:N/A Output: N/A N/A Volatile memory Overwriting with all zeros Entropy input (length depend- ent on security strength) DRBG (CTR AES) Seed CSP 256 bits DRBG AES CTR AES-ECB (A1908) Internal entropy source Input: N/A Output: N/A N/A Volatile memory Overwriting with all zeros Seeding mate- rial for the DRBG. Used to derive the DRBG (AES CTR) V and AES key Replication Sign- ing Key Pair (dRSKn, QRSKn) CSP/PSP 192 bits (ECDSA P384) ECDSA (A1908) Internally using DRBG or im- ported from another mem- ber of a Domain Input: dRSKn en- crypted with the DKEK may be imported from other members of a Domain; QRSKn may be imported by an operator (elec- tronically) Output: dRKSn encrypted with the DKEK may be exported to other members of a Domain; QRSKn may be exported in plaintext (elec- tronically) N/A Volatile memory Overwriting with all zeros The private key (dRSKn) is used to sign the out- puts of GetParameters- ForReplication and Wrap- KeyForReplicatio n APIs The public key (QRSKn) is used to verify the in- put of WrapKeyForRep- lication and ImportReplicat- edKey APIs FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 60 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Replication Agreement Key (dRAKk, QRAKk) CSP/PSP 192 bits (ECDH P384) ECDH (A1908) CKG Internally using DRBG or im- ported from a member of a different Do- main Input: QRAKk may be im- ported in plaintext from another HSM; dRAKk may be imported en- crypted with the domain key (DKn) from an- other HSM (electronically) Output: QRAKk may be ex- ported in plaintext; dRAKk may be ex- ported encrypted with the domain key (DKn) (electroni- cally) N/A Volatile memory Overwriting with all zeros Keys used for key agreement to derive a Repli- cation Wrapping Key (RWK) FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 61 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Replication Agreement RWK Shared Secret Z (RRZ) CSP 192 bits (ECDH P384) KAS (A1908) N/A N/A KAS (SP 800- 56Arev3) (Cofactor) One- Pass Diffie-Hell- man (ECC CDH) scheme with key confirma- tion Volatile memory Overwriting with all zeros The RRZ is the shared secret value Z com- puted using the private portion of a region’s Replication Agreement Key (dRAKk) and the public portion of another region’s Replication Agreement Key (QRAKk) The RRZ is used to derive the RWK Replication Wrapping Key (RWK) CSP 256 bits (AES) AES GCM (A1908) Internally de- rived from a Public Replica- tion Agreement Key (QRAK1) and a Private Repli- cation Agreement Key (dRAK2) Input: N/A Output: N/A KAS (SP 800- 56Arev3) (Cofactor) One- Pass Diffie-Hell- man (ECC CDH) scheme with key confirma- tion Volatile memory Overwriting with all zeros The RWK is used to encrypt an HBK. It is derived from a key agreement oper- ation between the QRAKk from an HSM in an- other security domain and the dRAKk in the lo- cal HSM security domain FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 62 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Customer Repli- cation Key (CRK) CSP/PSP 256 bits (AES, HMAC) 112 to 128 bits (RSA: 2048, 3072, or 4096 bits) 128 to 256 bits (ECDSA: P256, P384, P521, or secp256k1) AES GCM HMAC RSA ECDSA (A1908) Internally from an HBK en- crypted with a domain key (DKn) Input: CRK may be imported by decrypting an HBK using a do- main key (DKn) and re-encrypt- ing it using a Replication Wrapping Key (RWK) (elec- tronically) Output: CRK is exported en- crypted with a Replication Wrapping Key (RWK) (elec- tronically) KAS (SP 800- 56Arev3) (Cofactor) One- Pass Diffie-Hell- man (ECC CDH) scheme with key confirma- tion Volatile memory Overwriting with all zeros The CRK is the customer key that is being transmitted be- tween two HSMs CRKs are wrapped with the RWK Operator Ephemeral Agreement Pub- lic Key (QOEAK) PSP 192 bits (ECDH P384) ECDH (A1908) Externally by the module op- erator Input: When an operator calls the NegotiateS- essionKey service (elec- tronically) Output: N/A N/A Volatile memory Overwriting with all zeros The QOEAK is provided by an operator to es- tablish a session key (HOSK) It is used with the HSM ephem- eral agreement key (dE) using ECC CDH FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 63 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Operator Signa- ture Public Key (QOS) PSP 192 bits (ECDSA P384) 112 to 128 bits (RSA: 2048, 3072, or 4096 bits) ECDSA RSA (A1908) Externally by the module op- erator Input: The pub- lic key (QOS) is imported in plaintext when an administra- tor calls InitializeAndCre- ateDomain, CreateDomain, and ChangeDo- main They are also imported by APIs that accept a Domain Token (electronically) Output: The public keys are exported from the HSM in plaintext by APIs that export a Domain Token (electronically) N/A Volatile memory Overwriting with all zeros The QOS is used by the HSM to authenticate op- erators FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 64 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Key/SSP Name/Type Strength Security Func- tion and Cert. Number Generation Import / Export Establishment Storage Zeroisation Use & related keys Customer Data Encryption Pub- lic Key (QCDEK) PSP 112 to 128 bits (RSA: 2048, 3072, or 4096 bits) RSA (A1908) Externally by the module op- erator Input: The pub- lic key (QCDEK) is optionally provided when an operator calls Generate, GenerateAndEn- cryptRandomBy tes, Generate- DataKeyPair, and Decrypt (electronically) Output: N/A N/A Volatile memory Overwriting with all zeros The QCDEK is provided by an operator or cus- tomer to encrypt the SCDEK, which encrypts customer data Customer Data Encryption Sym- metric Key (SCDEK) PSP 128 bits, 256 bits (AES) AES GCM AES CBC (A1908) Internally using DRBG Input: N/A Output: En- crypted by QCDEK (elec- tronically) N/A Volatile memory Overwriting with all zeros The SCDEK en- crypts customer plaintext data. If a QCDEK is op- tionally provided for Generate, GenerateAndEn- cryptRandomByt es, Generate- DataKeyPair, or Decrypt, a SCDEK will be gener- ated within the module to en- crypt the resulting cus- tomer plaintext data. Table 13 – SSPs FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 65 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Entropy sources Minimum number of bits of entropy Details Intel Deterministic Random Number Generator 384 bits of seed material is requested from the entropy source which provides full entropy Used only to seed the DRBG in the module. 512 bits of entropy data with 0.7 bits of min entropy per bit is provided to the vetted conditioning function, 128-bit AES-CBC-MAC. The conditioning function is called three times for the 384-bit entropy input into the DRBG. Table 14 – Non-Deterministic Random Number Generator Specification FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 66 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 10. Self-Tests FIPS 140-3 requires the module to perform self-tests to ensure the integrity of the module and the correctness of the cryptographic functionality at start up. Some functions require conditional tests during normal operation of the module. All of these tests are listed and described in this section. In the event of a self-test error, the module will log the error and enter the error state. Once in the error state, all SSPs are zeroized and the module becomes unusable. Pre-Operational Self-Tests Pre-operational self-tests are run upon the initialization of the module and do not require operator intervention to run. If any of the tests fail, the module will not initialize. The module will enter an error state and no services can be accessed by the operator. The module implements the following pre-operational self-tests: Integrity Check 256-bit error detection code (EDC) on all module components The module performs all pre-operational self-tests automatically when the module is initialized. All pre-opera- tional self-tests must be passed before a Crypto Officer can perform services. The pre-operational self-tests can be run on demand by rebooting the module. Conditional Self-Tests The module performs all conditional self-tests automatically when the module is initialized. All conditional self-tests must be passed before a Crypto Officer can perform services.. If any of these tests fail, the module will enter an error state, where no services can be accessed by the operators. The module can be re-initialized to clear the error and resume Approved mode of operation. Each module performs the following conditional self-tests: Cryptographic Algorithm Self Tests • AES (Encryption in ECB mode with 128 bit key) KAT • AES (Decryption in ECB mode with 128 bit key) KAT • AES GCM (Generation with 128 bit key) KAT • AES GCM (Verification with 128 bit key) KAT • ECC KAS (ECDH) (Primitive Z test with EC P-256 parameter set) KAT • ECDSA (Signature generation with P-256 curve) KAT • ECDSA (signature verification with P-256 curve) KAT • RSA (Signature generation, key transport SP800-56B per IG D.G with 2048 bit key) KAT • RSA (Signature verification, key transport SP800-56B per IG D.G with 2048 bit key) KAT • HMAC (Generation with SHA2-256, SHA2-512) KAT • HMAC (Verification with SHA2-256, SHA2-512) KAT • SHS (SHA-1, SHA2-256, SHA2-512) KAT • SP 800-90 CTR_DRBG KAT FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 67 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. • DRBG Health Tests Performed on DRBG, per SP 800-90A Section 11.3 • SP 800-108 KBKDF (HMAC-SHA2-256) KAT • KDA (OneStep KDF) (SHA2-256) KAT Pair-wise Consistency Tests • RSA key pair generation • ECDSA / ECDH key pair generation SP 800-56A Assurances • Performed per SP 800-56Arev3 Sections 5.5.2 and 5.6.2 SP 800-90B Health Tests (Critical function test) • NIST SP 800-90B ENT Health Tests, per SP 800-90B Section 4.5 The module does not perform a firmware load test because no additional firmware can be loaded in the module while operating in the Approved mode. Please see Section 3 for guidance on configuring and maintaining Approved mode. On-demand Self-Tests On-demand self-tests can be performed by rebooting the module which will perform the pre-operational self-tests. Periodic Self-Tests All conditional self-tests are automatically run once a day. The specific time is randomly selected by the module between 23 to 24 hours since the last run. The tests are executed in the background. FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 68 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 11. Life-cycle Assurance Delivery and Operation The AWS Key Management Service HSM is designed to be mounted in a rack only. Before mounting onto a rack, the module should be inspected for signs of physical tampering. Connect the power interface to the power connector in the rack. Power up the module. The module will start up in the approved mode of operation. No other configuration is nec- essary. End of Life To prepare a module for disposal: 1. Remove all domain information on the module using the ForgetDomain API 2. Delete the HSM Signature Key and HSM Agreement Key from the HSM using the Wipe API 3. Return the HSM to the factory state using the DeactivateAndReboot API. This step also zeroizes volatile memory as part of the reboot process 4. Power down the module by disconnecting the module from the power source To securely destroy a module: 1. To open the chassis, drill though all fasteners that secure the cover to the chassis and remove the cover. 2. Remove and destroy the solid state drive and memory modules in accordance with NIST SP 800-88rev1. FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 69 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. 12. Mitigation of Other Attacks Not Applicable. FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 70 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Appendix A - Acronyms AES Advanced Encryption Standard ANSI American National Standards Institute API Application Programming Interface AWS Amazon Web Services CBC Cipher Block Chaining CDK Customer Data Key CMK Customer Managed Key CMVP Cryptographic Module Validation Program CO Crypto Officer CSE Communications Security Establishment Canada CSK Customer Supplied Key CSP Critical Security Parameter CTR Counter DH Diffie-Hellman DKn Domain Key DKEK Domain Key Encryption Key DRBG Deterministic Random Bit Generator ECB Electronic Codebook EC Elliptic Curve ECDSA Elliptic Curve Digital Signature Algorithm EMC Electromagnetic Compatibility EMI Electromagnetic Interference FCC Federal Communications Commission FIPS Federal Information Processing Standard GCM Galois/Counter Mode HBK HSM Backing Key HMAC (Keyed-) Hash Message Authentication Code HOSK HSM-to-Operator Session Key HSK HSM Signature Key Pair HSKEK HSM Session Key Encryption Key HSM Hardware Security Module IPMI Intelligent Platform Management Interface KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key Based Key Derivation Function KDF Key Derivation Function KMS Key Management Service KTS Key Transport Scheme FIPS 140-3 Non-Proprietary Security Policy: AWS Key Management Service HSM Document Version 0.35 Page 71 of 71 Copyright 2024 Amazon Web Services, Inc. All Rights Reserved This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. MAC Message Authentication Code MD Message Digest NIST National Institute of Standards and Technology NMI Non-Maskable Interrupt OAEP Optimal Asymmetric Encryption Padding PKCS Public-Key Cryptography Standards PSS Probabilistic Signature Scheme QOEAK Operator Ephemeral Agreement Public Key QOS Operator Signature Public Key RNG Random Number Generator RSA Rivest, Shamir, and Adleman SHA Secure Hash Algorithm SP Special Publication SSP Sensitive Security Parameter