[AWS] Key Management Service (KMS)

Key Management Service (KMS) is a regional secure key management service (FIPS 140-2 level 2 validated) that provides encryption and decryption. KMS is integrated with most of other AWS services.

  • KMS is a regional service, not a global one.
  • KMS is NOT an ideal place to save database passwords and API keys. They are stored in Systems Manager Parameter Store.
  • You are charged per API call.
  • KMS has the audit capability using CloudTrail to provide encryption key usage logs, which are saved in S3.


KMS can use CloudHSM (Cloud Hardware Security Module) via custom key stores.

  • CloudHSM is a single-tenant, dedicated hardware security module in a multi-AZ cluster for high availability.
  • It conforms FIPS 140-2 level 3.
  • Generate and manage your own encryption keys
    • Customers manage the keys, and the keys are irretrievable if lost.
    • AWS does not have access to your keys.
  • It uses industry-standard APIs to access (no AWS APIs).
  • It is used to meet compliance requirements for data security by using dedicated hardware.


  • KMS manages Customer Master Keys (CMK).
    • CMK is created and managed in a region.
    • CMK can encrypt/decrypt data up to 4KB.
  • KMS can generate a Data Encryption Key (DEK) using a CMK.
    • DEK is used to encrypt/decrypt data of any size.
    • The encrypted DEK and encrypted data (Base64) can be stored together. KMS decrypts the DEK, which decrypts data.

Types of Customer Master Keys

  • Customer Managed CMK
    • A customer manages the key.
    • It supports granular management, such as key rotation and key policies.
  • AWS Managed CMK
    • It is free and used by default.
    • Only the linked AWS service can use the keys directly.
    • Format: aws/service-name (ex. aws/rds, aws/ebs, aws/lambda …)
  • AWS Owned CMK
    • Keys are used by AWS on a shared basis across many accounts.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s