Key Management Service
AWS Key Management Service (AWS KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.
AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.


KMS and KMS Keys

Data Encryption Keys (DEKs)

Key Concepts

Key Policies and Security

• Create and managed symmetric and asymmetric encryption keys • The KMS keys are protected by hardware security modules (HSMs)

• KMS keys are the primary resources in AWS KMS • Used to be known as “customer master keys” or CMKs • The KMS key also contains the key material used to encrypt and decrypt data • By default, AWS KMS creates the key material for a KMS key • You can also import your own key material • A KMS key can encrypt data up to 4KB in size • A KMS key can generate, encrypt and decrypt Data Encryption Keys (DEKs)
Alternative Key Stores
External Key Store
• Keys can be stored outside of AWS to meet regulatory requirements • You can create a KMS key in an AWS KMS external key store (XKS) • All keys are generated and stored in an external key manager • When using an XKS, key material never leaves your HSM
Custom Key Store
• You can create KMS keys in an AWS CloudHSM custom key store • All keys are generated and stored in an AWS CloudHSM cluster that you own and manage • Cryptographic operations are performed solely in the AWS CloudHSM cluster you own and manage • Custom key stores are not available for asymmetric KMS keys
AWS Managed KMS Keys
Created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS
You cannot manage these KMS keys, rotate them, or change their key policies
You also cannot use AWS managed KMS keys in cryptographic operations directly; the service that creates them uses them on your behalf

Data Encryption Keys
Data keys are encryption keys that you can use to encrypt large amounts of data
You can use AWS KMS keys to generate, encrypt, and decrypt data keys
AWS KMS does not store, manage, or track your data keys, or perform cryptographic operations with data keys
You must use and manage data keys outside of AWS KMS

KMS Keys and Automatic Rotation
You cannot enable or disable key rotation for AWS owned keys
Automatic key rotation is supported only on symmetric encryption KMS keys with key material that AWS KMS generates (Origin = AWS_KMS)

KMS Keys and Automatic Rotation
Automatic rotation generates new key material every year (optional for customer managed keys)

KMS Keys and Automatic Rotation
With automatic key rotation:
The properties of the KMS key, including its key ID, key ARN, region, policies, and permissions, do not change when the key is rotated
You do not need to change applications or aliases that refer to the key ID or key ARN of the KMS key
After you enable key rotation, AWS KMS rotates the KMS key automatically every year
Automatic key rotation is not supported on the following types of KMS keys:
Asymmetric KMS keys
HMAC KMS keys
KMS keys in custom key stores
KMS keys with imported key material
Note: You can rotate these KMS keys manually
Manual Rotation
Manual rotation is creating a new KMS key with a different key ID
You must then update your applications with the new key ID
You can use an alias to represent a KMS key so you don’t need to modify your application code

KMS Key Policies
Key policies define management and usage permissions for KMS keys

Multiple policy statements can be combined to specify separate administrative and usage permissions

Permissions can be specified for delegating use of the key to AWS services

To share snapshots with another account you must specify Decrypt and CreateGrant permissions
The kms:ViaService condition key can be used to limit key usage to specific AWS services
For example:

Cryptographic erasure means removing the ability to decrypt data and can be achieved when using imported key material and deleting that key material
You must use the DeletelmportedKeyMaterial API to remove the key material
An InvalidKeyId exception when using SSM Parameter Store indicates the KMS key is not enabled
Make sure you know the differences between AWS managed and customer managed KMS keys and automatic vs manual rotation
Last updated