Key Management Service (KMS) is a regional secure key management service (FIPS 140-2 level 2 validated) that provides encryption and decryption. KMS is integrated with most of other AWS services.
- KMS is a regional service, not a global one.
- KMS is NOT an ideal place to save database passwords and API keys. They are stored in Systems Manager Parameter Store.
- You are charged per API call.
- KMS has the audit capability using CloudTrail to provide encryption key usage logs, which are saved in S3.