Posted On: Apr 20, 2022

AWS Key Management Service (AWS KMS) lets you create KMS keys that can be used to generate and verify Hash-Based Message Authentication Code (HMACs). HMACs are a powerful cryptographic building block that incorporates secret key material within a hash function to create a unique keyed message authentication code. HMAC KMS keys can only be generated and used within the FIPS 140-2 validated HSM security boundary in AWS KMS. This architecture can minimize the risk of these secret keys being compromised, in contrast to using plaintext HMAC keys in local application software.

HMACs can provide a fast way to tokenize or sign data such as Web API requests, credit card numbers, bank routing information, or personally identifiable information (PII). Because HMACs utilize symmetric cryptography, they are typically higher performance than signing algorithms that use asymmetric cryptography like RSA or ECC. HMACs are commonly used in several Internet standards and communication protocols such as JSON Web Tokens (JWT). The KMS keys and the HMAC algorithms in AWS KMS conform to industry standards defined in RFC 2104. As with any other type of KMS key, you can control who is allowed to perform HMAC functions under which conditions by defining KMS key and/or IAM policies.

The KMS HMAC APIs are currently available in selected Regions. Please see the KMS Developer Guide for information on Region support and an overview of the new HMAC feature.

Apr 27, 2022: A previous version of this post incorrectly referenced the “Java” Web Token standard. We have corrected this reference to the JSON Web Token (JWT) standard.