AWS Key Management Service gives you centralized control over the encryption keys used to protect your data. You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data. AWS Key Management Service is integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control. AWS KMS is integrated with AWS CloudTrail which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS enables developers to easily encrypt data, whether through 1-click encryption in the AWS Management Console, or using the AWS SDK to easily add encryption in their application code.

Try AWS Key Management Service

Get Started with AWS
Or Sign In to the Console

Create your free account with Amazon Web Services and receive 12 months of access to free products and services.

View AWS Free Tier Details »

AWS Key Management Service provides you with centralized control of your encryption keys. You can easily create, import, and rotate keys as well as define usage policies and audit usage from the AWS Management Console or by using the AWS SDK or CLI. The master keys in KMS, whether imported by you or created on your behalf by KMS, are stored in highly durable storage in an encrypted format to help ensure that they can be retrieved when needed. You can choose to have KMS automatically rotate master keys created in KMS once per year without the need to re-encrypt data that has already been encrypted with your master key. You don’t need to keep track of older versions of your master keys as KMS keeps them available to decrypt previously encrypted data. You can create new master keys, and control who has access to those keys and which services they can be used with whenever you wish. You can also import keys from your own key management infrastructure and use them in KMS.

AWS Key Management Service is seamlessly integrated with most other AWS services. This integration means that you can easily use AWS KMS master keys to encrypt the data you store with these services. You can use a default master key that is created for you automatically and usable only within the integrated service, or you can select a custom master key that you either created in KMS or imported from your own key management infrastructure and have permission to use.

AWS Services Integrated with KMS
Alexa for Business* Amazon Glacier Amazon WorkMail AWS Snowball
Amazon Athena Amazon Kinesis Data Streams Amazon WorkSpaces AWS Snowmobile

Amazon Aurora

Amazon Kinesis Firehose AWS Certificate Manager* AWS Snowball Edge
Amazon CloudWatch Logs Amazon Kinesis Video Streams AWS Cloud9* AWS Storage Gateway
Amazon Comprehend* Amazon Lex AWS CloudTrail AWS X-Ray
Amazon Connect Amazon Lightsail* AWS CodeBuild  
Amazon DynamoDB* Amazon Simple Email Service (SES) AWS CodeCommit*  
Amazon DynamoDB Accelerator (DAX)* Amazon Simple Queue Service (SQS) AWS CodeDeploy  
Amazon EBS Amazon Neptune AWS CodePipeline  
Amazon EFS Amazon Relational Database Service (RDS) AWS Database Migration Service  
Amazon Elastic Transcoder Amazon Redshift AWS Lambda  
Amazon Elasticsearch Service Amazon SageMaker AWS Secrets Manager  
Amazon EMR Amazon S3 AWS Systems Manager  
Amazon Connect
Amazon Connect
Amazon Connect
Amazon Connect
Amazon S3, , AWS Import/Export Snowball, AWS Storage Gateway, 
Amazon S3, , AWS Import/Export Snowball, AWS Storage Gateway, 
Amazon S3, , AWS Import/Export Snowball, AWS Storage Gateway, 
Amazon S3, , AWS Import/Export Snowball, AWS Storage Gateway, 
Amazon RDS, Amazon Redshift, , Amazon DynamoDB*
Amazon RDS, Amazon Redshift, , Amazon DynamoDB*
Amazon RDS, Amazon Redshift, , Amazon DynamoDB*
Amazon Kinesis Video Streams
Amazon Kinesis Video Streams
AWS CloudTrail
AWS CloudTrail
AWS Systems Manager
Amazon Relational Database Service
Amazon Relational Database Service
AWS X-Ray
AWS X-Ray
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS Database Migration Service
AWS CodePipeline
AWS CodePipeline
AWS CodeDeploy
AWS CodeDeploy
AWS CodeCommit
AWS CodeBuild
AWS Cloud9*
AWS Auto Scaling
AWS Auto Scaling
Amazon WorkSpaces
AWS Certificate Manager*
AWS Certificate Manager*
AWS CloudTrail
AWS CloudTrail
AWS CloudTrail
AWS Database Migration Service
AWS Database Migration Service
AWS Systems Manager
AWS Systems Manager
AWS Storage Gateway
Amazon Simple Email Service (SES)
Amazon Simple Email Service (SES)
Amazon WorkMail
AWS CloudTrail
AWS CloudTrail
AWS CodeBuild
AWS CodeBuild
AWS CodeCommit*
AWS CodeCommit*
AWS CodePipeline
AWS Snowball
AWS Snowmobile
AWS Storage Gateway

*Supports only AWS managed KMS keys. 

AWS KMS is also integrated into the AWS SDK, the AWS Command Line Interface (CLI), and provides a RESTful API. When you use these interfaces to encrypt or decrypt data, encryption or decryption operations will happen automatically—you just select which KMS master key to use. In addition, KMS is integrated with AWS CloudFormation to let you quickly create keys in KMS using the CloudFormation template for KMS.

If you have AWS CloudTrail enabled for your AWS account, each use of a key that you store in KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, and the key used.

AWS Key Management Service is a managed service. As your usage of AWS KMS encryption keys grows, you do not have to buy additional key management infrastructure. AWS KMS automatically scales to meet your encryption key needs.

The master keys created on your behalf by AWS KMS or imported by you cannot be exported from the service. AWS KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability to help assure you that your keys will be available when you need to access them. If you import keys into KMS, you must securely maintain a copy of your keys so that you can re-import them at any time.

AWS KMS is deployed in multiple availability zones within an AWS region to provide high availability for your encryption keys.

AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext keys from the service. The service uses FIPS 140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of your keys regardless of whether you request KMS to create keys on your behalf or you import them into the service. Your plaintext keys are never written to disk and only ever used in volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. KMS keys are never transmitted outside of the AWS regions in which they were created. Updates to the KMS HSM firmware is controlled by multi-party access control that is audited and reviewed by an independent group within Amazon.

To learn more about how AWS KMS works you can read the AWS Key Management Service whitepaper.

Security and quality controls in AWS KMS have been validated and certified by the following compliance schemes:

  • AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports. You can download a copy of these reports from AWS Artifact.
  • PCI DSS Level 1. For more details on PCI DSS compliant services in AWS, you can read the PCI DSS FAQs.
  • ISO 27001. For more details on ISO 27001 compliant services in AWS, you can read the ISO 27001 FAQs.
  • ISO 27017. For more details on ISO 27017 compliant services in AWS, you can read the ISO-27017 FAQs.
  • ISO 27018. For more details on ISO 27018 compliant services in AWS, you can read the ISO-27018 FAQs.
  • ISO 9001. For more details on ISO 9001 compliant services in AWS, you can read the ISO-9001 FAQs.
  • Cryptographic module running firmware version 1.4.3 is validated at FIPS 140-2 Level 2 overall with Level 3 for several other categories, including physical security. For more details, you can view the FIPS 140-2 certificate for AWS KMS HSM along with the associated Security Policy.
  • FedRAMP. You can get more details on AWS FedRAMP compliance at FedRAMP Compliance
  • HIPAA-eligible. For more details, you can visit the HIPAA Compliance page.