Key Management Service (KMS) is a regional secure key management service (FIPS 140-2 level 2 validated) that provides encryption and decryption. KMS is integrated with most of other AWS services.
- KMS is a regional service, not a global one.
- KMS is NOT an ideal place to save database passwords and API keys. They are stored in Systems Manager Parameter Store.
- You are charged per API call.
- KMS has the audit capability using CloudTrail to provide encryption key usage logs, which are saved in S3.
KMS can use CloudHSM (Cloud Hardware Security Module) via custom key stores.
- CloudHSM is a single-tenant, dedicated hardware security module in a multi-AZ cluster for high availability.
- It conforms FIPS 140-2 level 3.
- Customers manage the keys, and the keys are irretrievable if lost.
- It uses industry-standard APIs to access (no AWS APIs).
CMK and DEK
- KMS manages Customer Master Keys (CMK).
- CMK is created and managed in a region.
- CMK can encrypt/decrypt data up to 4KB.
- KMS can generate a Data Encryption Key (DEK) using a CMK.
- DEK is used to encrypt/decrypt data of any size.
- The encrypted DEK and encrypted data (Base64) can be stored together. KMS decrypts the DEK, which decrypts data.
Types of Customer Master Keys
- Customer Managed CMK
- A customer manages the key.
- It supports granular management, such as key rotation and key policies.
- AWS Managed CMK
- It is free and used by default.
- Only the linked AWS service can use the keys directly.
- Format: aws/service-name (ex. aws/rds, aws/ebs, aws/lambda …)
- AWS Owned CMK
- Keys are used by AWS on a shared basis across many accounts.