Given the usage of AWS KSM without CloudHSM. There is a two-tier key hierarchy: master key + data key. Master key encrypts data key, data key encrypts data. Encrypted data key is stored with the data it encrypted. Encryption/decryption of data key is handled within KMS HSM. HSM doesn't allow to export unencrypted master key, stores master key only in volatile memory and deletes the master key when it detects physical tampering. There is a certification that covers that.
My question is how does AWS approach the master key compromise? In the unlikely event of master key compromise, that would have to happen on AWS KMS side, most likely around the interactions with HSM itself. I don't see a way for the user to compromise the master key, assuming the key was generated by AWS not the user.
There is an API that could be used to re-encrypt data keys encrypted using compromised master key, however it would need to be AWS who would notify the customer about the master key compromise. Is there a procedure around that, involving reaching out to the customer / user of compromised key? Or is master key compromise something that is deemed impossible hence there is no procedure around that?
