AWS Key Management Service

AWS Key Management Service

AWS Key Management Service (KMS) acts like a secure vault for your encryption keys, letting you control who can access them and use them to encrypt your data in AWS.

Published May 16, 2024
Last Modified May 17, 2024
AWS Key Management Service (AWS KMS) is a managed service that simplifies the creation, management, and control of encryption keys used to secure your data across AWS services and applications. Here are the key aspects of AWS KMS:


  • Create and manage cryptographic keys (symmetric and asymmetric).
  • Control their use in your applications and AWS Services.
  • Define key usage permissions (including cross account access).
  • Track key usage in AWS CloudTrail (regulations & compliance).
  • Integrates with almost all AWS services that need data encryption.
  • Automatically rotate master keys once a year.
  • Schedule key deletion to verify if the key is used., Mandatory minimum wait period of 7 days (max-30 days).

Server Side Encryption With KMS:

  • Create Customer Master Key. Map to AWS service (S3)
  • Steps
  1. Data sent to S3.
  2. S3 receives data keys from KMS.
  3. S3 encrypts data.
  4. Stores encrypted data & data key.
  • Remember
  1. CMK never leaves KMS.
  2. Encryption of data key - KMS using CMK.
  3. Encryption of data - AWS Service - Amazon S3 using data key.

Envelope Encryption:

  • The process KMS uses for encryption is called Envelope Encryption.
  1. Data is encrypted using data key.
  2. Data key is encrypted using Master key.
  3. Master key never leaves KMS.
  • KMS encrypts small pieces of data (usually data keys) <4 KB.

Decryption of data using KMS:

  • AWS service (Amazon S3) sends encrypted data key to KMS.
  • KMS uses Customer Master Key (CMK) to decrypt and return plain-text data key.
  • AWS service (Amazon S3) uses the plain-text data key to perform decryption.
  • Note: Remove plain-text data key from memory asap.
  • Note: AWS service needs IAM permissions to use the CMK.

Benefits of using KMS:

  • Enhanced security: KMS manages the lifecycle of your keys, reducing the risk of unauthorized access or loss.
  • Simplified key management: No need to manage keys yourself; KMS handles rotation, backup, and deletion.
  • Compliance support: KMS helps meet regulatory compliance requirements for data security.

Who should use KMS?

Anyone storing sensitive data in AWS can benefit from KMS. It's especially useful for:
  • Databases: Encrypt databases containing sensitive information like financial records or personal data.
  • S3 Buckets: Securely store files in S3 buckets with KMS-managed encryption keys.
  • EC2 Instances: Encrypt data on your EC2 instances using KMS keys.
AWS KMS Documentation: https://docs.aws.amazon.com/kms/

1 Comment