AWS Key Management Service
AWS Key Management Service (AWS KMS) is an AWS managed service that makes it easy for you to create and
control the encryption keys that are used to encrypt your data. The AWS KMS keys that you
create in AWS KMS are protected by FIPS 140-2 validated hardware
security modules (HSM)
Why use AWS KMS?
When you encrypt data, you need to protect your encryption key. If you encrypt your key, you need to protect its encryption key. Eventually, you must protect the highest level encryption key (known as a root key) in the hierarchy that protects your data. That's where AWS KMS comes in.
AWS KMS protects your root keys. KMS keys are created, managed, used, and deleted entirely within AWS KMS. They never leave the service unencrypted. To use or manage your KMS keys, you call AWS KMS.
Additionally, you can create and manage key policies in AWS KMS, ensuring that only trusted users have access to KMS keys.
AWS KMS in AWS Regions
The AWS Regions in which AWS KMS is supported are listed in AWS Key Management Service Endpoints and Quotas. If an AWS KMS feature is not supported in an AWS Region that AWS KMS supports, the regional difference is described in the topic about the feature.
AWS KMS pricing
As with other AWS products, using AWS KMS does not require contracts or minimum purchases.
For more information about AWS KMS pricing, see AWS Key Management Service
Pricing
AWS KMS service level agreement
AWS Key Management Service is backed by a service level
agreement
