When to use AWS Key Management Service (AWS KMS)

When you encrypt data, you need to protect your encryption key. If you encrypt your key, you need to protect its encryption key. Eventually, you must protect the highest level encryption key (known as a root key) in the hierarchy that protects your data. That's where AWS KMS comes in.

AWS Key Management Service (AWS KMS) lets you create, store, and manage KMS keys securely. Your KMS keys never leave AWS KMS unencrypted. To use a KMS key in a cryptographic operation, you call AWS KMS.

Additionally, you can create and manage key policies in AWS KMS, ensuring that only trusted users have access to KMS keys.

When Do I Use It?

Use AWS KMS to create and manage KMS keys. You can establish policies that determine who can use your KMS keys and how they can use them. You can track their use in transaction and audit logs, such as AWS CloudTrail.
You can use your KMS keys to encrypt small amounts of data (up to 4096 bytes). However, KMS keys are typically used to generate, encrypt, and decrypt the data keys that encrypt your data outside of AWS KMS. Unlike KMS keys, data keys can encrypt data of any size and format, including streamed data.

When Do I Use Something Else?

AWS KMS does not store or manage data keys, and you cannot use AWS KMS to encrypt or decrypt with data keys. To use data keys to encrypt and decrypt, use the AWS Encryption SDK.
KMS keys are backed by FIPS-validated hardware service modules (HSMs) that AWS KMS manages. To manage your own HSMs, use AWS CloudHSM.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

How to choose an encryption tool or service

When to use AWS CloudHSM