AWS Logo
Menu

What AWS Key Management Service is

This blog will help you understand what AWS Key Manangement Service(KMS) is and in what scenarios AWS KMS should be used.

Published Jan 1, 2025
AWS Key Management Service (AWS KMS) is an AWS managed service that help to protect your encryption keys. You can create and manage them using AWS KMS.
Before introducing what AWS KMS is, we should know a little bit cryptography technology.

Cryptography technology

Generally speaking, cryptography technology can help people protect thier sensitive data. If we want to reach this goal, we have to use encryption algorithms to change the sensitive data from the plaintext to ciphertext and use decryption algorithms to convert the ciphertext to plaintext.

Encryption

Encryption is the process that converts sensitive data into an alternative form that hides the true meaning of that information. Encryption has been there a long time before computers to facilitate secret communication. Traditionally, we encrypt the plaintext using a mapping table to change the plaintext to ciphertext.
For example, the plaintext is Hello, the mapping table is as below:
KeyValue
H#
e4
lH
o?
The encrypted content(ciphertext) is #4HH?. It's very diffcult for people to know the plaintext a long time ago if they don't know this mapping table. Nowadays, people can use brute force to obtain the plaintext. Cryptographers have invented some encryption algorithms to solve this problem. All these encryption algorithms consist of the plaintext, a key and a rule. Compaired with the example above, the key in the encryption algorithm is similar with the mapping table. That the reason why the key is very important. On the other hand, we can do the inverse operations to decrypt the ciphertext to obtain the plaintext.

What is the key?

There are two types of encryption algorithms, symmetric encryption algorithm and asymmetric encryption algorithm respectively. The difference between them is the key. For symmetric encryption algorithm, the key can be used to encrypt the plaintext and decrypt the ciphertext. However, the asymmetric encryption algorithm have different keys. The public key is to encrypt the plaintext, and the private key is to decrypt the ciphertext.
As we know, the key is really very important to protect our sensitive data. The purpose of AWS KMS is to protect thoes keys.

How does AWS KMS to protect keys

All encryption keys are call Customer Master Key (CMK) which is stored in KMS using Hardware Security Moduel(HSM). KMS can promise that the keys cannot leave the HSM to encrypt or decrypt the data. AWS CloudTrail can track the usage logs of the keys for audit and compliance needs.
There are three types of CMKs in AWS KMS below:
Type of CMKCan veiwCan manageUsed only for my AWS accountAutomic rotation
Customer managed CMKyesyesyesOptional. Every 365 days.
AWS managed CMKyesnoyesRequired. Every 1095 days.
AWS owned CMKnononoVaries
AWS owned CMK is the fundamental facility, which is the root key of all keys. AWS managed CMKs are derived by the AWS owned CMK, which is used for AWS services.
AWS managed Keys
AWS managed Keys
This graph shows all AWS managed CMKs in my AWS account. If you use more AWS services, you can see more.
In terms of customer manage CMKs, we can create and mange them. AWS provides two features for CMKs. The one is key policies, the other is key rotation.

Key Policies

The purpose of this feature is to define who can use the keys and who can administrate the keys. Once created, these policies cannot be modified, only deleted.
The above key policy shows the root user of this account allows full access to the CMK, and user/xiongpin allows administrate the CMK. The following key policy shows there only the role of AWSServiceRoleForSupport can use the CMK.
In summary, KMS use key policies to define different kinds of permissions.

Key Rotation

Cryptographic best practices discourage extensive use of encryption keys. Because of that, AWS allows rotating the CMK. You can enable automic key rotation.
Automic key rotation
Automic key rotation
This graph shows how AWS KMS rotate the key below.
Backing key
Backing key
AWS KMS saves references to the old backing keys when renewing. In this way, AWS KMS can decrypt the data or data keys that were generated by the older versions fo backing keys.
 

Comments