Key Management Service

AWS Key Management Service (AWS KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.

AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.

KMS and KMS Keys

Data Encryption Keys (DEKs)

Key Concepts

Key Policies and Security

• Create and managed symmetric and asymmetric encryption keys • The KMS keys are protected by hardware security modules (HSMs)

• KMS keys are the primary resources in AWS KMS • Used to be known as “customer master keys” or CMKs • The KMS key also contains the key material used to encrypt and decrypt data • By default, AWS KMS creates the key material for a KMS key • You can also import your own key material • A KMS key can encrypt data up to 4KB in size • A KMS key can generate, encrypt and decrypt Data Encryption Keys (DEKs)

Alternative Key Stores

External Key Store

• Keys can be stored outside of AWS to meet regulatory requirements • You can create a KMS key in an AWS KMS external key store (XKS) • All keys are generated and stored in an external key manager • When using an XKS, key material never leaves your HSM

Custom Key Store

• You can create KMS keys in an AWS CloudHSM custom key store • All keys are generated and stored in an AWS CloudHSM cluster that you own and manage • Cryptographic operations are performed solely in the AWS CloudHSM cluster you own and manage • Custom key stores are not available for asymmetric KMS keys

AWS Managed KMS Keys

  • Created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS

  • You cannot manage these KMS keys, rotate them, or change their key policies

  • You also cannot use AWS managed KMS keys in cryptographic operations directly; the service that creates them uses them on your behalf

Data Encryption Keys

  • Data keys are encryption keys that you can use to encrypt large amounts of data

  • You can use AWS KMS keys to generate, encrypt, and decrypt data keys

  • AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys

  • You must use and manage data keys outside of AWS KMS

KMS Keys and Automatic Rotation

  • You cannot enable or disable key rotation for AWS owned keys

  • Automatic key rotation is supported only on symmetric encryption KMS keys with key material that AWS KMS generates (Origin = AWS_KMS)

KMS Keys and Automatic Rotation

Automatic rotation generates new key material every year (optional for customer managed keys)

KMS Keys and Automatic Rotation

With automatic key rotation:

  • The properties of the KMS key, including its key ID, key ARN, region, policies, and permissions, do not change when the key is rotated

  • You do not need to change applications or aliases that refer to the key ID or key ARN of the KMS key

  • After you enable key rotation, AWS KMS rotates the KMS key automatically every year

Automatic key rotation is not supported on the following types of KMS keys:

  • Asymmetric KMS keys

  • HMAC KMS keys

  • KMS keys in custom key stores

  • KMS keys with imported key material

Note: You can rotate these KMS keys manually

Manual Rotation

  • Manual rotation is creating a new KMS key with a different key ID

  • You must then update your applications with the new key ID

  • You can use an alias to represent a KMS key so you don’t need to modify your application code

KMS Key Policies

Key policies define management and usage permissions for KMS keys

Multiple policy statements can be combined to specify separate administrative and usage permissions

Permissions can be specified for delegating use of the key to AWS services

  • To share snapshots with another account you must specify Decrypt and CreateGrant permissions

  • The kms:ViaService condition key can be used to limit key usage to specific AWS services

  • For example:

  • Cryptographic erasure means removing the ability to decrypt data and can be achieved when using imported key material and deleting that key material

  • You must use the DeletelmportedKeyMaterial API to remove the key material

  • An InvalidKeyId exception when using SSM Parameter Store indicates the KMS key is not enabled

  • Make sure you know the differences between AWS managed and customer managed KMS keys and automatic vs manual rotation

Last updated