What is AWS Key Management Service? - AWS Key Management Service

What is AWS Key Management Service?

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys that are used to encrypt your data. AWS KMS uses hardware security modules (HSM) to protect and validate your AWS KMS keys under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions.

AWS KMS integrates with most AWS services that encrypt your data. AWS KMS also integrates with AWS CloudTrail to log use of your KMS keys for auditing, regulatory, and compliance needs.

You can create and manage your AWS KMS keys:

You can use your KMS keys in cryptographic operations. For examples, see Programming the AWS KMS API.

  • Encrypt, decrypt, and re-encrypt data with symmetric or asymmetric KMS keys.

  • Sign and verify messages with asymmetric KMS keys.

  • Generate exportable symmetric data keys and asymmetric data key pairs.

  • Generate random numbers suitable for cryptographic applications.

You can use the advanced features of AWS KMS.

By using AWS KMS, you gain more control over access to data you encrypt. You can use the key management and cryptographic features directly in your applications or through AWS services integrated with AWS KMS. Whether you write applications for AWS or use AWS services, AWS KMS enables you to maintain control over who can use your AWS KMS keys and gain access to your encrypted data.

AWS KMS integrates with AWS CloudTrail, a service that delivers log files to your designated Amazon S3 bucket. By using CloudTrail you can monitor and investigate how and when your KMS keys have been used and who used them.

AWS KMS in AWS Regions

The AWS Regions in which AWS KMS is supported are listed in AWS Key Management Service Endpoints and Quotas. If an AWS KMS feature is not supported in an AWS Region that AWS KMS supports, the regional difference is described in the topic about the feature.

AWS KMS pricing

As with other AWS products, using AWS KMS does not require contracts or minimum purchases. For more information about AWS KMS pricing, see AWS Key Management Service Pricing.

Service level agreement

AWS Key Management Service is backed by a service level agreement that defines our service availability policy.

Learn more

AWS KMS in the AWS SDKs