Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

AWS Logo
Menu

What AWS Key Management Service is

This blog will help you understand what AWS Key Manangement Service(KMS) is and in what scenarios AWS KMS should be used.

kmsawskms
Pin Xiong
Published Jan 1, 2025
Comments
AWS Key Management Service (AWS KMS) is an AWS managed service that help to protect your encryption keys. You can create and manage them using AWS KMS.
Before introducing what AWS KMS is, we should know a little bit cryptography technology.

Cryptography technology

Generally speaking, cryptography technology can help people protect thier sensitive data. If we want to reach this goal, we have to use encryption algorithms to change the sensitive data from the plaintext to ciphertext and use decryption algorithms to convert the ciphertext to plaintext.

Encryption

Encryption is the process that converts sensitive data into an alternative form that hides the true meaning of that information. Encryption has been there a long time before computers to facilitate secret communication. Traditionally, we encrypt the plaintext using a mapping table to change the plaintext to ciphertext.
For example, the plaintext is Hello, the mapping table is as below:
KeyValue
H#
e4
lH
o?
The encrypted content(ciphertext) is #4HH?. It's very diffcult for people to know the plaintext a long time ago if they don't know this mapping table. Nowadays, people can use brute force to obtain the plaintext. Cryptographers have invented some encryption algorithms to solve this problem. All these encryption algorithms consist of the plaintext, a key and a rule. Compaired with the example above, the key in the encryption algorithm is similar with the mapping table. That the reason why the key is very important. On the other hand, we can do the inverse operations to decrypt the ciphertext to obtain the plaintext.

What is the key?

There are two types of encryption algorithms, symmetric encryption algorithm and asymmetric encryption algorithm respectively. The difference between them is the key. For symmetric encryption algorithm, the key can be used to encrypt the plaintext and decrypt the ciphertext. However, the asymmetric encryption algorithm have different keys. The public key is to encrypt the plaintext, and the private key is to decrypt the ciphertext.
As we know, the key is really very important to protect our sensitive data. The purpose of AWS KMS is to protect thoes keys.

How does AWS KMS to protect keys

All encryption keys are call Customer Master Key (CMK) which is stored in KMS using Hardware Security Moduel(HSM). KMS can promise that the keys cannot leave the HSM to encrypt or decrypt the data. AWS CloudTrail can track the usage logs of the keys for audit and compliance needs.
There are three types of CMKs in AWS KMS below:
Type of CMKCan veiwCan manageUsed only for my AWS accountAutomic rotation
Customer managed CMKyesyesyesOptional. Every 365 days.
AWS managed CMKyesnoyesRequired. Every 1095 days.
AWS owned CMKnononoVaries
AWS owned CMK is the fundamental facility, which is the root key of all keys. AWS managed CMKs are derived by the AWS owned CMK, which is used for AWS services.
Image not found
AWS managed Keys
This graph shows all AWS managed CMKs in my AWS account. If you use more AWS services, you can see more.
In terms of customer manage CMKs, we can create and mange them. AWS provides two features for CMKs. The one is key policies, the other is key rotation.

Key Policies

The purpose of this feature is to define who can use the keys and who can administrate the keys. Once created, these policies cannot be modified, only deleted.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::157854716818:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::157854716818:user/xiongpin"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:RotateKeyOnDemand"
],
"Resource": "*"
}
The above key policy shows the root user of this account allows full access to the CMK, and user/xiongpin allows administrate the CMK. The following key policy shows there only the role of AWSServiceRoleForSupport can use the CMK.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::157854716818:role/aws-service-role/support.amazonaws.com/AWSServiceRoleForSupport"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
In summary, KMS use key policies to define different kinds of permissions.

Key Rotation

Cryptographic best practices discourage extensive use of encryption keys. Because of that, AWS allows rotating the CMK. You can enable automic key rotation.
Image not found
Automic key rotation
This graph shows how AWS KMS rotate the key below.
Image not found
Backing key
AWS KMS saves references to the old backing keys when renewing. In this way, AWS KMS can decrypt the data or data keys that were generated by the older versions fo backing keys.
 
Comments

Comments

Log in to comment