AWS Key Management Service

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data. AWS KMS uses hardware security modules (HSM) to protect and validate your AWS KMS keys under the FIPS 140-2 Cryptographic Module Validation Program. China (Beijing) and China (Ningxia) Regions do not support the FIP 140-2 Cryptographic Module Validation Program. AWS KMS uses OSCCA certified HSMs to protect KMS keys in China Regions.

AWS KMS integrates with most other AWS services that encrypt your data. AWS KMS also integrates with AWS CloudTrail to log use of your KMS keys for auditing, regulatory, and compliance needs.

You can use the AWS KMS API to create and manage KMS keys and special features, such as custom key stores, and use KMS keys in cryptographic operations. For detailed information, see the AWS Key Management Service API Reference.

You can create and manage your AWS KMS keys:

• Create, edit, and view symmetric and asymmetric KMS keys, including HMAC keys.

• Control access to your KMS keys by using key policies, IAM policies, and grants. AWS KMS supports attribute-based access control (ABAC). You can also refine policies by using condition keys.

• Create, delete, list, and update aliases, friendly names for your KMS keys. You can also use aliases to control access to your KMS keys.

• Tag your KMS keys for identification, automation, and cost tracking. You can also use tags to control access to your KMS keys.

• Enable and disable KMS keys.

• Enable and disable automatic rotation of the cryptographic material in a KMS key.

• Delete KMS keys to complete the key lifecycle.

You can use your KMS keys in cryptographic operations. For examples, see Programming the AWS KMS API.

• Encrypt, decrypt, and re-encrypt data with symmetric or asymmetric KMS keys.

• Sign and verify messages with asymmetric KMS keys.

• Generate exportable symmetric data keys and asymmetric data key pairs.

• Generate and verify HMAC codes.

• Generate random numbers suitable for cryptographic applications.

You can use the advanced features of AWS KMS.

• Create multi-Region keys, which act like copies of the same KMS key in different AWS Regions.

• Import cryptographic material into a KMS key.

• Create KMS keys in an AWS CloudHSM key store backed by your AWS CloudHSM cluster.

• Create KMS keys in an external key store backed by your cryptographic keys outside of AWS.

• Connect directly to AWS KMS through a private endpoint in your VPC

• Use hybrid post-quantum TLS to provide forward-looking encryption in transit for the data that you send to AWS KMS.

By using AWS KMS, you gain more control over access to data you encrypt. You can use the key management and cryptographic features directly in your applications or through AWS services integrated with AWS KMS. Whether you write applications for AWS or use AWS services, AWS KMS enables you to maintain control over who can use your AWS KMS keys and gain access to your encrypted data.

AWS KMS integrates with AWS CloudTrail, a service that delivers log files to your designated Amazon S3 bucket. By using CloudTrail you can monitor and investigate how and when your KMS keys have been used and who used them.

AWS KMS in AWS Regions

The AWS Regions in which AWS KMS is supported are listed in AWS Key Management Service Endpoints and Quotas. If an AWS KMS feature is not supported in an AWS Region that AWS KMS supports, the regional difference is described in the topic about the feature.

AWS KMS pricing

As with other AWS products, using AWS KMS does not require contracts or minimum purchases. For more information about AWS KMS pricing, see AWS Key Management Service Pricing.

Service level agreement

AWS Key Management Service is backed by a service level agreement that defines our service availability policy.

Learn more

• To learn about the terms and concepts used in AWS KMS, see AWS KMS Concepts.

• For information about the AWS KMS API, see the AWS Key Management Service API Reference. For examples in different programming languages, see Programming the AWS KMS API.

• To learn how to use AWS CloudFormation templates to create and manage keys and aliases, see Creating AWS KMS resources with AWS CloudFormation and AWS Key Management Service resource type reference in the AWS CloudFormation User Guide.

• For detailed technical information about how AWS KMS uses cryptography and secures KMS keys, see AWS Key Management Service Cryptographic Details. The Cryptographic Details documentation does not describe how AWS KMS works in the China (Beijing) and China (Ningxia) Regions.

• For a list of AWS KMS endpoints, including FIPS endpoints, in each AWS Region, see Service endpoints in the AWS Key Management Service topic of the AWS General Reference.

• For help with questions about AWS KMS, see the AWS Key Management Service Discussion Forum.

AWS KMS in the AWS SDKs

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go

• AWS SDK for Java

• AWS SDK for JavaScript

• AWS SDK for PHP

• AWS SDK for Python (Boto3)

• AWS SDK for Ruby