AWS Key Management Service (AWS KMS)

AWS Key Management Service (KMS) is an Amazon Web Services product that allows administrators to create, delete and control keys that encrypt data stored in AWS databases and products.

AWS KMS can be accessed within AWS Identity and Access Management by selecting the "Encryption Keys" section or by using the AWS KMS command-line interface or software development kit.

AWS KMS provides a single view of all AWS keys in use, creating centralized encryption control. The service allows admins to create keys and usage policies; they also can enable logging.

KMS uses envelope encryption, which has two different keys for protecting data. Generated by AWS, the data key encrypts each piece of data and resources. Data and resources are then encrypted under a customer master key (CMK) defined in KMS and stored in AWS. When a user needs to decrypt data, the encrypted key is sent to KMS and decrypted with the CMK.

KMS users can rotate keys, a process that creates a new backing key to perform encryption, decryption and other cryptographic operations for the CMK. AWS can be configured to automatically rotate keys yearly. As a fully-managed service, AWS automatically handles availability, physical security and infrastructure maintenance. Once keys are created, they cannot be transferred to another AWS region.

The Key Management Service integrates with other AWS products to ease encryption throughout the public cloud. Many Amazon services accept both client-side (keys managed by users) and server-side (keys that AWS manages), though some have restrictions. For example, AWS CodeCommit only supports keys that AWS manages; Amazon Elastic MapReduce only supports client-side encryption in which input and output are stored in Amazon Simple Storage Service (S3). Storage and content delivery services, databases, management tools, analytics tools, application services and business applications are among the AWS products that integrate with KMS.

AWS CloudTrail also integrates with KMS to log and audit key use. Logs are delivered to a specified S3 bucket.

AWS KMS uses several hardening techniques, including limiting access to the service, to protect master keys. In addition, the service won't store keys in plaintext on disk. Software updates to the service go through a multi-level approval that is reviewed by an independent group within AWS.

AWS KMS has been validated and certified by a variety of compliance standards, including:

  • AWS Service Organization Controls (SOC 1, 2 and 3),
  • PCI DSS Level 1,
  • ISO 27017, 27018 and 9001.
This was last updated in February 2016

Continue Reading About AWS Key Management Service (AWS KMS)

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality