What is AWS Key Management Service?

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data. AWS KMS CMKs are protected by hardware security modules (HSMs) that are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions.

AWS KMS is integrated with most other AWS services that encrypt your data. AWS KMS is also integrated with AWS CloudTrail to log use of your CMKs for auditing, regulatory, and compliance needs.

You can create and manage your AWS KMS customer master keys (CMKs):

• Create, edit, and view symmetric and asymmetric CMKs

• Enable and disable CMKs

• Create. edit, and view key policies and grants for your CMKs

• Enable and disable automatic rotation of the cryptographic material in a CMK

• Tag your CMKs for identification, automation, and cost tracking

• Create, delete, list, and update aliases, which are friendly names for your CMKs

• Delete CMKs to complete the key lifecycle

You can use your CMKs in cryptographic operations. For examples, see Programming the AWS KMS API.

• Encrypt, decrypt, and re-encrypt data with symmetric or asymmetric CMKs

• Sign and verify messages with asymmetric CMKs

• Generate exportable symmetric data keys and asymmetric data key pairs

• Generate random numbers suitable for cryptographic applications

You can use the advanced features of AWS KMS.

• Import cryptographic material into a CMK

• Create CMKs in your own custom key store backed by a AWS CloudHSM cluster

• Connect directly to AWS KMS through a private endpoint in your VPC

• Use hybrid post-quantum TLS to provide forward-looking encryption in transit for the data that you send AWS KMS

By using AWS KMS, you gain more control over access to data you encrypt. You can use the key management and cryptographic features directly in your applications or through AWS services that are integrated with AWS KMS. Whether you are writing applications for AWS or using AWS services, AWS KMS enables you to maintain control over who can use your customer master keys and gain access to your encrypted data.

AWS KMS is integrated with AWS CloudTrail, a service that delivers log files to an Amazon S3 bucket that you designate. By using CloudTrail you can monitor and investigate how and when your CMKs have been used and by whom.

AWS KMS in AWS Regions

The AWS Regions in which AWS KMS is supported are listed in AWS Key Management Service Endpoints and Quotas. If an AWS KMS feature is not supported in an AWS Region that AWS KMS supports, the regional difference is described in the topic about the feature.

AWS KMS pricing

As with other AWS products, there are no contracts or minimum purchase requirements for using AWS KMS. For more information about AWS KMS pricing, see AWS Key Management Service Pricing.

Service level agreement

AWS Key Management Service is backed by a service level agreement that defines our service availability policy.

Learn more

• To learn about the terms and concepts used in AWS KMS, see AWS KMS Concepts.

• For information about the AWS KMS API, see the AWS Key Management Service API Reference. For examples in different programming languages, see Programming the AWS KMS API.

• For detailed technical information about how AWS KMS uses cryptography and secures CMKs, see the AWS Key Management Service Cryptographic Details whitepaper. This whitepaper does not describe how AWS KMS works in the China (Beijing) and China (Ningxia) Regions.

• For help with questions about AWS KMS, see the AWS Key Management Service Discussion Forum.

AWS KMS in the AWS SDKs

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go

• AWS SDK for Java

• AWS SDK for JavaScript

• AWS SDK for PHP

• AWS SDK for Python (Boto3)

• AWS SDK for Ruby