AWS Key Management Service - AWS GovCloud (US)

AWS Key Management Service

AWS Key Management Service (KMS) is an encryption and key management service scaled for the cloud. KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS.

How AWS KMS Differs for AWS GovCloud (US)

This service has no differences between AWS GovCloud (US) Regions and the standard AWS Regions.

Documentation for AWS Key Management Service

AWS Key Management Service Developer Guide.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in AWS GovCloud (US) Regions. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in AWS GovCloud (US) Regions, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted

ITAR-Regulated Data Not Permitted

  • All data encrypted with an AWS KMS key contains ITAR-regulated data

  • AWS KMS metadata is not permitted to contain ITAR-regulated data. Do not enter ITAR-regulated data in the following fields:

    • Alias

    • Descriptions

    • Key policy documents, including key administrators and key users

  • The Encryption Context is outside the ITAR boundary.

  • AWS KMS generated metadata will not contain ITAR-regulated data:

    • Key ID

    • Key ARN