Why use AWS KMS?Using and managing KMS keys More resources and information

AWS Key Management Service

AWS Key Management Service (AWS KMS) is an AWS service that makes it easy for you to create and control the encryption keys that are used to encrypt your data. The AWS KMS keys that you create in AWS KMS are protected by FIPS 140-2 validated cryptographic modules. They never leave AWS KMS unencrypted. To use or manage your KMS keys, you interact with AWS KMS.

Many AWS services are integrated with AWS KMS so they encrypt your data with KMS keys in your AWS account. AWS KMS is also integrated with AWS CloudTrail to deliver detailed logs of all cryptographic operations that use your KMS keys and management operations that change their configuration. This detailed logging helps you fulfill your auditing, regulatory and compliance requirements.

Why use AWS KMS?

AWS KMS protects the KMS keys that protect your data.

In the classic scenario, you encrypt your data using data key A. But you need to protect data key A, so you encrypt data key A by using data key B. Now data key B is vulnerable, so you encrypt it by using data key C. And, so on. This encryption technique, which is called envelope encryption, always leaves one last encryption key unencrypted so you can decrypt your encryption keys and data. That last unencrypted (or plaintext) key is called a root key.

Root keys protect the data keys that protect your data

AWS KMS protects your root keys. KMS keys are created, managed, used, and deleted entirely within AWS KMS . They never leave the service unencrypted. To use or manage your KMS keys, you call AWS KMS .

Using and managing KMS keys

Symmetric KMS keys are 256-bit Advanced Encryption Standard (AES) keys that are not exportable. They spend their entire lifecycle entirely within AWS KMS.

You can also create asymmetric RSA or elliptic curve (ECC) KMS keys backed by asymmetric key pairs. The public key in each asymmetric KMS key is exportable, but the private key remains within AWS KMS.

You can create, view, and manage the KMS keys in your AWS account from the AWS Management Console and AWS KMS API operations. You have full control over your customer managed KMS keys.

You can:

Establish policies that determine who can use and manage your KMS keys.
Enable and disable your KMS keys.
Enable and disable automatic rotation of the key material in your KMS keys.
Schedule deletion of your KMS keys when you are finished using them.

You can also use your KMS keys in cryptographic operations. You can encrypt and decrypt small amounts of data directly under the KMS keys. But KMS keys are typically used to generate, encrypt, decrypt, and reencrypt exportable data keys that protect your data outside of AWS KMS. You can also give other AWS services permission to use your KMS keys on your behalf to encrypt the data that the service stores and manages for you.

More resources and information

You can read about AWS Key Management Service in the AWS Key Management Service Developer Guide and the AWS Key Management Service API Reference. If you have questions, read and post on the AWS KMS Discussion Forum.

If you are required to control and manage the hardware security modules that generate and store your encryption keys, learn about AWS CloudHSM.

If you need help using encryption keys to encrypt your data, such as the data keys that AWS KMS returns, learn about the AWS Encryption SDK.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS CloudHSM

AWS Encryption SDK