[AWS] Key Management Service (KMS)

Key Management Service (KMS) is a secure key management service (FIPS 140-2 level 2 validated). It helps you to create and control encryption keys that are used to encrypt and decrypt data. KMS also uses a HSM (Hardware Security Module) to protect the security of your keys.

KMS is integrated with most of other AWS services.


KMS provides centralized control over the lifecycle and permission of the encryption keys to encrypt your data (EBS, S3, and RDS).

  • KMS is NOT an ideal place to save database passwords and API keys.
    • Use Secrets Manager or Systems Manager Parameter Store.
  • You are charged per API call.
  • KMS has the audit capability using CloudTrail to provide encryption key usage logs, which are saved in S3.


Customer Master Keys (CMK) is a logical representation of a master key.

Typically, you use CMKs to generate, encrypt, and decrypt the data keys that you use to encrypt your data. This strategy is known as envelope encryption.

  • CMK contains the key material used to encrypt and decrypt a data key.
  • CMK also has metadata.
    • the key ID (alias), creation date, description, and key state (enabled, disabled, pending deletion)
  • CMK can encrypt/decrypt data up to 4KB.
  • Key Types
    • Symmetric: a single key is used for encryption and decryption
    • Asymmetric: a public and private key pair
  • Key material origin
    • KMS
    • External
      1. Download a public key (wrapping key) and import token
      2. Encrypt the key material
      3. Import the key material to the CMK
    • Custom key store (Cloud HSM)

KMS can generate a Data Encryption Key (DEK) using a CMK.

  • DEK is used to encrypt/decrypt data of any size.
  • The encrypted DEK and encrypted data (Base64) can be stored together.
  • KMS decrypts the DEK, which decrypts data.

Types of Customer Master Keys

  • Customer Managed CMK
    • A customer manages the key.
    • It supports granular management, such as key rotation and key policies.
  • AWS Managed CMK
    • It is free and used by default.
    • Only the linked AWS service can use the keys directly.
    • Format
      • aws/service-name (ex. aws/rds, aws/ebs, aws/lambda …)
  • AWS Owned CMK
    • Keys are used by AWS on a shared basis across many accounts.


HSM is a physical device that has one or more secure cryptoprocessor chips.

  • It manages keys and performs encryption and decryption.


KMS can use CloudHSM (Cloud Hardware Security Module) via custom key stores.

  • CloudHSM is a single-tenant, dedicated hardware security module in a multi-AZ cluster for high availability.
  • It conforms FIPS 140-2 level 3.
  • Generate and manage your own encryption keys
    • Customers manage the keys, and the keys are irretrievable if lost.
    • AWS does not have access to your keys.
  • It uses industry-standard APIs to access (no AWS APIs).
  • It is used to meet compliance requirements for data security by using dedicated hardware.
KMS uses a shared tenancy of underlying hardware.You will get a dedicated HSM. You have full control of underlying hardware.
KMS supports automatic key rotation.No automatic key rotation.

Generate a CMK

You can control the lifecycle of the CMK and the permission – who can use and who can manage – of it.

There are three ways to generate a CMK (key materials).

  • AWS creates the CMK. AWS uses the HSM to generate the key material.
  • You can import key material from your infrastructure and associate it with a CMK.
  • A CMK can be created in the AWS CloudHSM cluster using the AWS KMS custom key store feature.

Key Rotation

If the CMK key is generated with AWS KMS HSM, you can use to rotate the CMK every year automatically by AWS KMS.

  • Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster.

Use Key Policies

  • All KMS CMKs have a key policy, which is a resource-based policy.
    • Who can administer the key
    • Who can use the key
  • (Example) Working with encrypted files in EC2 instances
    • The key policy must allow the instance role to use the CMK.
    • The EC2 instance must have an instance role which has permission to run the decrypt operation.


== Encrypts plaintext of up to 4,096 bytes using a KMS key
> aws kms encrypt --key-id {YOURKEYID} ...

== Decrypts ciphertext that was encrypted by a KMS key
> aws kms decrypt ...

== Enables automatic rotation of the key material
> aws kms enable-key-rotation --key-id {YOURKEYID}

> aws kms get-key-rotation-status --key-id {YOURKEYID}

== Returns a unique symmetric data key for use outside of KMS
> aws kms generate-data-key --key-id {YOURKEYID} --key-spec AES_256

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s