Document history

This topic describes significant updates to the AWS Key Management Service Developer Guide.

Recent updates

The following table describes significant changes to this documentation since January 2018. In addition to major changes listed here, we also update the documentation frequently to improve the descriptions and examples, and to address the feedback that you send to us. To be notified about significant changes, subscribe to the RSS feed.

You might need to scroll horizontally or vertically to see all of the data in this table.

Change	Description	Date
Quota change	Increased the default request rate for ImportKeyMaterial and DeleteImportedKeyMaterial requests.	July 23, 2024
Quota change	Increased the default cryptographic operations request rate for symmetric encryption KMS keys, RSA KMS keys, and ECC and SM2 KMS keys.	July 8, 2024
New feature	Added new KeyUsage type KEY_AGREEMENT for NIST-recommended elliptic curve (ECC) and SM2 (China Regions only) KMS keys and added support to derive shared secrets.	June 13, 2024
Updates to key rotation	Added support for custom rotation periods for automatic key rotations, on-demand key rotations, and visibility into your key material rotations.	April 12, 2024
Updates to managed policy	Added new permissions to AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy that allow AWS KMS to monitor changes in the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in the case of failures.	November 10, 2023
Feature update	Added support for the DryRun API parameter.	July 5, 2023
Feature update	Added support for importing key material for all types of AWS KMS keys, except custom key stores.	June 5, 2023
Feature update	Updates to AWS KMS APIs for Nitro Enclaves	March 10, 2023
Feature update	The RSAES_PKCS1_V1_5 wrapping algorithm is deprecated. AWS KMS will end all support for RSAES_PKCS1_V1_5 by October 1, 2023 pursuant to cryptographic key management guidance from the National Institute of Standards and Technology (NIST). We recommend that you begin using a different wrapping algorithm immediately.	February 28, 2023
Feature update	Added support for External key stores, a feature that lets you protect your AWS resources using cryptographic keys outside of AWS.	November 29, 2022
Quota change	Increased the AWS KMS keys resource quota to 100,000 KMS keys in each account and Region.	July 8, 2022
Feature update	Added support for HMAC KMS keys in more AWS Regions	July 8, 2022
New topic	Added the Resilience in AWS Key Management Service topic to the Security chapter of the AWS KMS Developer Guide.	June 14, 2022
New feature	Added support for AWS KMS keys and API operations that generate and verify HMAC codes.	April 19, 2022
Documentation change	Replace the term customer master key (CMK) with AWS KMS key and KMS key.	August 30, 2021
New feature	Added support for multi-Region keys, a set of interoperable KMS keys in different Regions that have the same key ID and key material. You can use multi-Region keys to encrypt data in one Region and decrypt data in a different Region.	June 8, 2021
New feature	Added support for attribute based access control (ABAC). You can use tags and aliases to control access to your AWS KMS keys.	December 17, 2020
New feature	Added support for VPC endpoint policies.	July 9, 2020
New content	Explains the security properties of AWS KMS.	June 18, 2020
New feature	Added support for asymmetric AWS KMS keys and asymmetric data keys.	November 25, 2019
Updated feature	You can view the key policy of AWS managed keys in the AWS KMS console. This feature used to be limited to customer managed keys.	November 15, 2019
New feature	Explains how to use hybrid post-quantum key exchange algorithms in TLS for your calls to AWS KMS.	November 4, 2019
Quota change	Increased the resource quotas for some APIs that manage KMS keys.	September 18, 2019
Quota change	Changed the resource quotas for KMS keys, aliases, and grants per KMS key.	March 27, 2019
Quota change	Changed the shared per-second request quota for cryptographic operations that use AWS KMS keys in a custom key store.	March 7, 2019
New feature	Explains how to create and manage AWS KMS custom key stores. Each key store is backed by an AWS CloudHSM cluster that you own and control.	November 26, 2018
New console	Explains how to use the new AWS KMS console, which is independent of the IAM console. The original console, and instructions for using it, will remain available for a brief period to give you time to familiarize yourself with the new console.	November 7, 2018
Quota change	Changed the shared request quota for use of AWS KMS keys.	August 21, 2018
New content	Explains how AWS Secrets Manager uses AWS KMS keys to encrypt the secret value in a secret.	July 13, 2018
New content	Explains how DynamoDB uses AWS KMS AWS KMS keys to support its server-side encryption option.	May 23, 2018
New feature	Explains how to use a private endpoint in your VPC to connect directly to AWS KMS, instead of connecting over the internet.	January 22, 2018

Earlier updates

The following table describes the important changes to the AWS Key Management Service Developer Guide prior to 2018.

You might need to scroll horizontally or vertically to see all of the data in this table.

Change	Description	Date
New content	Added documentation about Tags in AWS KMS.	February 15, 2017
New content	Added documentation about Monitor AWS KMS keys and Monitor KMS keys with Amazon CloudWatch.	August 31, 2016
New content	Added documentation about Imported key material.	August 11, 2016
New content	Added the following documentation: IAM policies, Permissions reference, and Condition keys.	July 5, 2016
Update	Updated portions of the documentation in the KMS key access and permissions chapter.	July 5, 2016
Update	Updated the Quotas page to reflect new default quotas.	May 31, 2016
Update	Updated the Quotas page to reflect new default quotas, and updated the grant token documentation to improve clarity and accuracy.	April 11, 2016
New content	Added documentation about Allowing multiple IAM principals to access a KMS key and Using the IP address condition.	February 17, 2016
Update	Updated the Key policies in AWS KMS and Change a key policy pages to improve clarity and accuracy.	February 17, 2016
Update	Updated the Managing KMS keys topic pages to improve clarity.	January 5, 2016
New content	Added documentation about How AWS CloudTrail uses AWS KMS.	November 18, 2015
New content	Added instructions for Change a key policy.	November 18, 2015
Update	Updated the documentation about How Amazon Relational Database Service uses AWS KMS.	November 18, 2015
New content	Added documentation about Amazon WorkSpaces.	November 6, 2015
Update	Updated the Key policies in AWS KMS page to improve clarity.	October 22, 2015
New content	Added documentation about Delete an AWS KMS keys, including supporting documentation about Create an alarm and Determine past usage of a KMS key.	October 15, 2015
New content	Added documentation about Determining access to AWS KMS keys.	October 15, 2015
New content	Added documentation about Key states of AWS KMS keys.	October 15, 2015
New content	Added documentation about Amazon Simple Email Service.	October 1, 2015
Update	Updated the Quotas page to explain the new request quotas.	August 31, 2015
New content	Added information about the charges for using AWS KMS. See AWS KMS Pricing.	August 14, 2015
New content	Added request quotas to the AWS KMS Quotas.	June 11, 2015
New content	Added a new Java code sample demonstrating use of the UpdateAlias operation.	June 1, 2015
Update	Moved the AWS Key Management Service regions table to the AWS General Reference.	May 29, 2015
New content	Added documentation about How Amazon EMR uses AWS KMS.	January 28, 2015
New content	Added documentation about Amazon WorkMail.	January 28, 2015
New content	Added documentation about How Amazon Relational Database Service uses AWS KMS.	January 6, 2015
New content	Added documentation about Amazon Elastic Transcoder.	November 24, 2014
New guide	Introduced the AWS Key Management Service Developer Guide.	November 12, 2014