Posted On: Jan 22, 2018

Starting today, AWS Key Management Service (KMS) supports AWS PrivateLink, enabling you to use KMS APIs inside of your Amazon Virtual Private Cloud (VPC) and route data between your VPC and KMS entirely within the AWS network. 

With AWS PrivateLink, you can provision and use VPC endpoints to access supported services hosted in the AWS Cloud. AWS PrivateLink provides you a highly available and scalable manner to access AWS services while keeping all the network traffic within the AWS network. 

You can create a VPC endpoint for KMS using the Amazon VPC console, AWS CLI, or AWS SDK. Once the endpoint is created, you can submit requests to KMS via the endpoint using the AWS CLI or AWS SDK. You can also set KMS and AWS Identity and Access Management (IAM) policies which specify that KMS requests must originate from a specific VPC using the KMS VPC endpoint. When you use the VPC endpoint to make requests to KMS, the endpoint ID also appears in the corresponding KMS entries in AWS CloudTrail logs allowing you to audit usage of your VPC endpoint. 

Support for AWS PrivateLink is available in all AWS Regions where both AWS KMS and AWS PrivateLink are available.