AWS Key Management Service gives you centralized control over the encryption keys used to protect your data. You can create, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data. AWS Key Management Service is integrated with several other AWS services making it easy to encrypt the data you store in these services with encryption keys you control. AWS KMS is integrated with AWS CloudTrail which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS enables developers to easily encrypt data, whether through 1-click encryption in the AWS Management Console, or using the AWS SDK to easily add encryption in their application code.
Try AWS Key Management Service
Get Started with AWSOr Sign In to the Console
Create your free account with Amazon Web Services and receive 12 months of access to free products and services.
AWS Key Management Service provides you with centralized control of your encryption keys. You can easily implement key creation, rotation, and usage policies, from the AWS Management Console or by using the API. The master keys used with AWS KMS are stored in highly durable storage in an encrypted format to help ensure that they can be retrieved when needed, but are never stored in a readable format. You can choose to have KMS automatically rotate your master keys once per year without the need to re-encrypt data that has already been encrypted with your master key. You don’t need to keep track of older versions of your master keys as KMS keeps them available to decrypt previously encrypted data. You can create new master keys, and control who has access to those keys and which services they can be used with whenever you wish.
AWS Key Management Service is seamlessly integrated with several other AWS services. This integration means that you can easily use AWS KMS master encryption keys to encrypt the data you store with these services. You can use a default master key that is created for you automatically and usable only within the integrated service, or you can select a custom master key that you created in KMS and have permission to use.
| AWS product category | AWS services integrated with KMS |
|---|---|
Storage & Content Delivery |
Amazon S3, Amazon EBS, AWS Import/Export Snowball |
| Databases | Amazon RDS, Amazon Redshift |
| Developer Tools | AWS CodeCommit* |
| Management Tools | AWS CloudTrail |
| Analytics | Amazon EMR** |
| Application Services | Amazon Elastic Transcoder, Amazon SES |
| Enterprise Applications | Amazon WorkSpaces, Amazon WorkMail |
*AWS CodeCommit only supports AWS-managed KMS keys at this time.
**Amazon EMR supports client-side encryption using KMS keys when the input and output for your workloads is stored in S3. The server-side encryption option uses the Amazon S3 system master key and does not currently support the use of KMS keys.
AWS KMS is also integrated into the AWS SDK, the AWS Command Line Interface (CLI), and provides a RESTful API. When you use these interfaces to encrypt or decrypt data, encryption or decryption operations will happen automatically—you just select which KMS master key to use.
If you have AWS CloudTrail enabled for your AWS account, each use of a key that you store in KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, and the key used.
AWS Key Management Service is a managed service. As your usage of AWS KMS encryption keys grows, you do not have to buy additional key management hardware or software, or manage any infrastructure. AWS KMS automatically scales to meet your encryption key needs.
Key storage is highly durable. AWS KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability to help assure you that your keys will be available when you need to access them.
AWS KMS is deployed in multiple availability zones within an AWS region to provide high availability for your encryption keys.
AWS KMS is designed so that no one has access to your master keys. The service is built on systems that are designed to protect your master keys with extensive hardening techniques such as never storing plaintext master keys on disk, not persisting them in memory, and limiting which systems can connect to the device. All access to update software on the service is controlled by a multi-level approval process that is audited and reviewed by an independent group within Amazon.
To learn more about how AWS KMS works you can read the AWS Key Management Service whitepaper.
