Skip to main content

AWS Key Management Service Documentation

Overview

AWS Key Management Service (KMS) gives you control over the cryptographic keys used to protect your data, including control over the lifecycle and permissions of your keys. You can create new keys and you can control who can manage keys separately from who can use them. The service is integrated with other AWS services, allowing you to encrypt data you store in these services and control access to the keys that decrypt it. AWS KMS is also integrated with AWS CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS enables developers to add encryption or digital signature functionality to their application code either directly or by using the AWS SDK. The AWS Encryption SDK supports AWS KMS as a root key provider for developers who need to encrypt/decrypt data locally within their applications.

Centralized Key Management

AWS KMS provides you with centralized control over the lifecycle and permissions of your keys. You can create new keys and you can control who can manage keys separately from who can use them. As an alternative to using keys generated by AWS KMS, you can import keys from your own key management infrastructure, use keys stored in your AWS CloudHSM cluster, or from your own external key manager. You can choose automatic rotation of root keys generated in AWS KMS without the need to re-encrypt previously encrypted data. The service keeps older versions of the root key available to decrypt previously encrypted data. You can manage your root keys and audit their usage from the AWS Management Console or by using the AWS SDK or AWS Command Line Interface (CLI).

AWS Service Integration

AWS KMS integrates with AWS services to encrypt data at rest, or to facilitate signing and verification using an AWS KMS key. To protect data at rest, integrated AWS services use envelope encryption, where a data key is used to encrypt data, and is itself encrypted under a KMS key stored in AWS KMS. For signing and verification, integrated AWS services use asymmetric RSA or ECC KMS keys in AWS KMS.

Audit Monitoring

If you have AWS CloudTrail enabled for your AWS account, each request you make to AWS KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail.

Scalability, Durability, and High Availability

AWS KMS is a managed service. As your use of encryption grows, the service scales to meet your needs. It helps you manage and use KMS keys in your account. It defines default limits for number of keys and request rates.

The KMS keys you create or ones that are created on your behalf by other AWS services cannot be exported from the service. To help verify that your keys and your data are highly available, it stores multiple copies of encrypted versions of your keys.

If you import keys into the service, you maintain a secure copy of the KMS keys so that you can re-import them if they are not available when you need to use them. 

For encrypted data or digital signature workflows that move across Regions, you can create KMS multi-Region keys, a set of interoperable keys with the same key material and key IDs that can be replicated into multiple Regions.

Secure

AWS KMS is designed so that no one can retrieve your plaintext keys from the service. The service uses hardware security modules (HSMs) to protect the confidentiality and integrity of your keys, and these HSMs are being brought through validations. Your plaintext keys are not written to disk and only used in volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. This is true regardless of whether you request AWS KMS to create keys on your behalf, import them into the service, or create them in an AWS CloudHSM cluster using the custom key store feature. Single Region Keys created by AWS KMS are not transmitted outside of the AWS region in which they were created and can only be used in the region in which they were created. Updates to the AWS KMS HSM firmware are controlled by multi-party access control that is audited and reviewed by an independent group within Amazon as well as a NIST accredited lab.

Custom Key Stores

AWS KMS provides the option for you to create your own key store using HSMs that you control. KMS keys stored in a custom key store are managed by you like any other KMS key and can be used with any AWS service that integrates with AWS KMS

Asymmetric Keys

AWS KMS provides you the capability to create and use asymmetric KMS keys and data key pairs. You can designate a KMS key for use as a signing key pair or an encryption key pair. Key pair generation and asymmetric cryptographic operations using these KMS keys are performed inside HSMs. You can request the public portion of the asymmetric KMS key for use in your local applications, while the private portion does not leave the service. You can import the private portion of an asymmetric key from your own key management infrastructure.

You can also request the service to generate an asymmetric data key pair. This operation returns a plaintext copy of the public key and private key as well as a copy of the private key encrypted under a symmetric KMS key that you specify. You can use the plaintext public or private key in your local application and store the encrypted copy of the private key for future use.

* Asymmetric keys are not supported with custom key stores.

HMAC

You can generate and verify Hash-Based Message Authentication Code (HMACs) from within AWS KMS’s FIPS 140-3 validated HSMs. HMACs are subject to the access controls that you set on the key. HMAC KMS keys are generated in AWS KMS hardware security modules that are certified under the FIPS 140-3 Cryptographic Module Validation Program and do not leave AWS KMS unencrypted. You can also import your own HMAC key from your own key management infrastructure.

*AWS KMS HMAC keys are not supported in custom key stores.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.