AWS Key Management Service Documentation
Overview
Centralized Key Management
AWS KMS provides you with centralized control over the lifecycle and permissions of your keys. You can create new keys and you can control who can manage keys separately from who can use them. As an alternative to using keys generated by AWS KMS, you can import keys from your own key management infrastructure, use keys stored in your AWS CloudHSM cluster, or from your own external key manager. You can choose automatic rotation of root keys generated in AWS KMS without the need to re-encrypt previously encrypted data. The service keeps older versions of the root key available to decrypt previously encrypted data. You can manage your root keys and audit their usage from the AWS Management Console or by using the AWS SDK or AWS Command Line Interface (CLI).
AWS Service Integration
AWS KMS integrates with AWS services to encrypt data at rest, or to facilitate signing and verification using an AWS KMS key. To protect data at rest, integrated AWS services use envelope encryption, where a data key is used to encrypt data, and is itself encrypted under a KMS key stored in AWS KMS. For signing and verification, integrated AWS services use asymmetric RSA or ECC KMS keys in AWS KMS. For more details about how an integrated service uses AWS KMS, see the documentation for your AWS service.
There are two types of KMS key resources that can be created in your AWS account: (i) An AWS managed KMS key can be created automatically when needed. You can list or inventory AWS managed KMS keys and receive a record of their use in AWS CloudTrail, but permissions for the resource are managed by the AWS service it was created to be used with. (ii) A customer managed KMS key gives you the highest degree of control over the permissions and lifecycle of the key.
Audit Capabilities
If you have AWS CloudTrail enabled for your AWS account, each request you make to AWS KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail.
Scalability, Durability, and High Availability
AWS KMS is a fully managed service. As your use of encryption grows, the service automatically scales to meet your needs. It helps you manage thousands of KMS keys in your account and to use them whenever you want. It defines default limits for number of keys and request rates, but you can request increased limits if necessary.
The KMS keys you create or ones that are created on your behalf by other AWS services cannot be exported from the service. To help verify that your keys and your data are highly available, it stores multiple copies of encrypted versions of your keys.
If you import keys into the service, you maintain a secure copy of the KMS keys so that you can re-import them if they are not available when you need to use them.
For encrypted data or digital signature workflows that move across Regions, you can create KMS multi-Region keys, a set of interoperable keys with the same key material and key IDs that can be replicated into multiple Regions.
AWS KMS is designed to be a highly available service with a regional API endpoint. As most AWS services rely on it for encryption and decryption, it is architected to provide a level of availability that supports the rest of AWS and is backed by the AWS KMS Service Level Agreement.
Secure
Custom Key Stores
AWS KMS provides the option for you to create your own key store using HSMs that you control. KMS keys stored in a custom key store are managed by you like any other KMS key and can be used with any AWS service that integrates with AWS KMS. AWS KMS offers two types of custom key stores:
CloudHSM backed key stores:
You can create a KMS key in an AWS CloudHSM custom key store where all keys are stored and generated in an AWS CloudHSM cluster that you own and manage. When you use a KMS key in a CloudHSM custom key store, the cryptographic operations under that key are performed in your AWS CloudHSM cluster.
The use of a CloudHSM custom key store involves the additional cost of the AWS CloudHSM cluster and makes you responsible for the availability of the key material in that cluster.
External key store:
You can create a KMS key in an AWS KMS external key store (XKS), where all keys are generated and stored in an external key manager outside of AWS that you own and manage.
Unlike standard KMS keys or a key in a CloudHSM custom key store, you are responsible for the durability, availability, latency, performance, and security of the key material and the cryptographic operations of external keys when using an external key store.
Asymmetric Keys
HMAC
You can generate and verify Hash-Based Message Authentication Code (HMACs) from within AWS KMS’s FIPS 140-2 validated HSMs. HMACs are subject to the access controls that you set on the key. The HMAC KMS keys and the HMAC algorithms that AWS KMS uses conform to industry standards defined in RFC 2104. HMAC KMS keys are generated in AWS KMS hardware security modules that are certified under the FIPS 140-2 Cryptographic Module Validation Program and never leave AWS KMS unencrypted. You can also import your own HMAC key from your own key management infrastructure.
*AWS KMS HMAC keys are not supported in custom key stores.
Compliance
Security and quality controls in AWS KMS have been validated and certified by compliance regimes including:
- AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports.
- PCI DSS Level 1.FIPS 140-2.
- AWS KMS cryptographic module is validated, or in the process of being validated, at FIPS 140-2 Level 2 overall with Level 3 for several other categories, including physical security
- FedRAMP.
- HIPAA.
** FIPS 140-2 does not apply to AWS KMS in the AWS China (Beijing) Region, operated by Sinnet and the AWS China (Ningxia) Region, operated by NWCD. The HSMs in China Regions are instead approved for use by the Chinese government.
Additional Information
For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.