AWS Key Management Service
Developer Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

What is AWS Key Management Service?

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. The customer master keys that you create in AWS KMS are protected by hardware security modules (HSMs). Our HSMs are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions.

AWS KMS is integrated with most other AWS services that encrypt your data with encryption keys that you manage. AWS KMS is also integrated with AWS CloudTrail to provide encryption key usage logs to help meet your auditing, regulatory and compliance needs.

You can perform the following management actions on your AWS KMS master keys:

  • Create, describe, and list master keys

  • Enable and disable master keys

  • Create and view grants and access control policies for your master keys

  • Enable and disable automatic rotation of the cryptographic material in a master key

  • Import cryptographic material into an AWS KMS master key

  • Tag your master keys for easier identification, categorizing, and tracking

  • Create, delete, list, and update aliases, which are friendly names associated with your master keys

  • Delete master keys to complete the key lifecycle

With AWS KMS you can also perform the following cryptographic functions using master keys:

  • Encrypt, decrypt, and re-encrypt data

  • Generate data encryption keys that you can export from the service in plaintext or encrypted under a master key that doesn't leave the service

  • Generate random numbers suitable for cryptographic applications

By using AWS KMS, you gain more control over access to data you encrypt. You can use the key management and cryptographic features directly in your applications or through AWS services that are integrated with AWS KMS. Whether you are writing applications for AWS or using AWS services, AWS KMS enables you to maintain control over who can use your master keys and gain access to your encrypted data.

AWS KMS is integrated with AWS CloudTrail, a service that delivers log files to an Amazon S3 bucket that you designate. By using CloudTrail you can monitor and investigate how and when your master keys have been used and by whom.

Learn More

AWS KMS in AWS Regions

The AWS Regions in which AWS KMS is supported are listed in the AWS Key Management Service section of AWS Regions and Endpoints. If an AWS KMS feature is not supported in an AWS Region that AWS KMS supports, the regional difference is described in the topic about the feature.

AWS KMS Pricing

As with other AWS products, there are no contracts or minimum commitments for using AWS KMS. For more information about AWS KMS pricing, see AWS Key Management Service Pricing.

Service Level Agreement

AWS Key Management Service is backed by a service level agreement that defines our service availability policy.