AWS Glossary
AWS KMS
AWS Key Management Service — centralized key management for encrypting data across AWS services and applications.
AI & assistant-friendly summary
This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.
Summary
AWS Key Management Service — centralized key management for encrypting data across AWS services and applications.
Key Facts
- • AWS Key Management Service — centralized key management for encrypting data across AWS services and applications
- • Definition AWS Key Management Service (KMS) is a managed service for creating, storing, and controlling encryption keys used to protect your data across AWS
- • KMS integrates with 100+ AWS services — S3, RDS, EBS, Lambda, DynamoDB, Secrets Manager, and more — making it the standard for encryption at rest in AWS workloads
- • Every key operation is logged in AWS CloudTrail, creating an auditable record of all cryptographic activity
- • Key Types **AWS Managed Keys** - Created and managed by AWS on your behalf for a specific service (e
Entity Definitions
- Lambda
- Lambda is an AWS service relevant to aws kms.
- S3
- S3 is an AWS service relevant to aws kms.
- Amazon S3
- Amazon S3 is an AWS service relevant to aws kms.
- RDS
- RDS is an AWS service relevant to aws kms.
- DynamoDB
- DynamoDB is an AWS service relevant to aws kms.
- IAM
- IAM is an AWS service relevant to aws kms.
- VPC
- VPC is an AWS service relevant to aws kms.
- Secrets Manager
- Secrets Manager is an AWS service relevant to aws kms.
- AWS Secrets Manager
- AWS Secrets Manager is an AWS service relevant to aws kms.
- compliance
- compliance is a cloud computing concept relevant to aws kms.
- HIPAA
- HIPAA is a cloud computing concept relevant to aws kms.
- SOC 2
- SOC 2 is a cloud computing concept relevant to aws kms.
- PCI DSS
- PCI DSS is a cloud computing concept relevant to aws kms.
- GDPR
- GDPR is a cloud computing concept relevant to aws kms.
Related Content
- AWS CLOUD SECURITY — Related service
- CLOUD COMPLIANCE SERVICES — Related service
Definition
AWS Key Management Service (KMS) is a managed service for creating, storing, and controlling encryption keys used to protect your data across AWS. KMS integrates with 100+ AWS services — S3, RDS, EBS, Lambda, DynamoDB, Secrets Manager, and more — making it the standard for encryption at rest in AWS workloads. Every key operation is logged in AWS CloudTrail, creating an auditable record of all cryptographic activity.
Key Types
AWS Managed Keys
- Created and managed by AWS on your behalf for a specific service (e.g.,
aws/s3,aws/rds) - Automatic key rotation every year
- No cost for the key itself; standard KMS API call charges apply
- You cannot view, manage, or use them outside the service
- Sufficient for most encryption requirements
Customer Managed Keys (CMK)
- You create and control these keys
- Customizable key policy (access control)
- Manual or automatic rotation (annual)
- Required when you need: cross-account access, custom key policies, CloudTrail audit of specific key usage, BYOK (bring your own key material), or key deletion control
- $1/month per key + $0.03 per 10,000 API calls
AWS CloudHSM
- Dedicated hardware security module (HSM) for FIPS 140-2 Level 3 compliance
- Full control over the HSM cluster; AWS has no access to your keys
- Required for: strict regulatory requirements (government, financial services), custom cryptographic operations, or FIPS 140-3 compliance
Envelope Encryption
KMS uses envelope encryption to protect data efficiently:
- KMS generates a data key (plaintext + encrypted copy)
- Use the plaintext data key to encrypt your data locally
- Store the encrypted data key alongside the encrypted data
- Discard the plaintext data key from memory
- To decrypt: call KMS to decrypt the data key, then decrypt your data locally
This pattern means: only the data key is sent to KMS (not your entire data), large files are encrypted locally (fast), and KMS controls access to the data key (audit trail).
Key Policy and Access Control
Every KMS key has a key policy — a resource-based policy defining who can use and manage the key:
- Must explicitly grant the AWS account root permission (otherwise no IAM policy can grant access)
- Grant least-privilege access: separate
kms:Decryptpermissions fromkms:GenerateDataKey - Use conditions (
kms:CallerAccount,kms:ViaService) to restrict key usage to specific services or accounts - Cross-account access: grant the target account’s root in the key policy + add IAM policy in the target account
Key Rotation
Automatic Rotation:
- Enable for customer managed keys: KMS rotates key material annually
- Old key material is retained to decrypt data encrypted with previous versions
- Transparent to users — key ID stays the same
- No application changes required
On-Demand Rotation (new 2024):
- Rotate key material immediately, outside the annual schedule
- Useful after a security incident or as part of incident response
Compliance and Audit
- Every KMS API call logged to CloudTrail: who used which key, when, for what service
- Supports HIPAA, PCI DSS, SOC 2, FedRAMP, ISO 27001, and GDPR encryption requirements
- Key usage can be restricted by IP address, VPC, or originating service via conditions
- Key deletion has a mandatory 7–30 day waiting period (protects against accidental deletion)
Common Mistakes
Mistake 1: Using a single KMS key for everything. Use separate keys per environment (dev, staging, prod) and per data classification level (PHI, PCI, general). Different keys = granular access control + separate audit trails.
Mistake 2: Not understanding the difference between encryption at rest and key management. Enabling S3 SSE-S3 encrypts data but uses AWS-managed keys you can’t audit or control. Use SSE-KMS with a customer managed key for audit trails and cross-account access.
Mistake 3: Deleting KMS keys without verifying no data depends on them. Deleted keys mean encrypted data is permanently unrecoverable. Always check CloudTrail for recent key usage before scheduling deletion.
Related AWS Services
- AWS Secrets Manager: Stores and auto-rotates database credentials, API keys, and secrets using KMS for encryption
- AWS CloudTrail: Audit log of every KMS API call
- Amazon S3 SSE-KMS: Server-side encryption with KMS-managed keys for S3 objects
- AWS CloudHSM: Dedicated HSM for FIPS 140-3 compliance requirements
Related FactualMinds Content
Need Help with This Topic?
Our AWS experts can help you implement and optimize these concepts for your organization.