Security best practices for AWS Key Management Service

AWS Key Management Service (AWS KMS) supports many security features that you can implement to enhance the protection of your encryption keys, including key policies and IAM policies, an encryption context option for cryptographic operations on symmetric encryption keys, an extensive set of condition keys to refine your key policies and IAM policies, and grant constraints to limit grants.

These security features are described in detail in AWS Key Management Service Best Practices (PDF). The general guidelines in this technical paper do not represent a complete security solution. Because not all best practices are appropriate for all situations, these are not intended to be prescriptive.

See also

Best practices for IAM policies
Best practices for AWS KMS grants
Security best practices in IAM in the IAM User Guide

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure security

Quotas