AWS Key Management Service gives you centralized control over the encryption keys used to protect your data. You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data. AWS Key Management Service is integrated with several other AWS services making it easy to encrypt the data you store in these services with encryption keys you control. AWS KMS is integrated with AWS CloudTrail which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS enables developers to easily encrypt data, whether through 1-click encryption in the AWS Management Console, or using the AWS SDK to easily add encryption in their application code.
AWS Key Management Service provides you with centralized control of your encryption keys. You can easily create, import, and rotate keys as well as define usage policies and audit usage from the AWS Management Console or by using the AWS SDK or CLI. The master keys in KMS, whether imported by you or created on your behalf by KMS, are stored in highly durable storage in an encrypted format to help ensure that they can be retrieved when needed. You can choose to have KMS automatically rotate master keys created in KMS once per year without the need to re-encrypt data that has already been encrypted with your master key. You don’t need to keep track of older versions of your master keys as KMS keeps them available to decrypt previously encrypted data. You can create new master keys, and control who has access to those keys and which services they can be used with whenever you wish. You can also import keys from your own key management infrastructure and use them in KMS.
AWS Key Management Service is seamlessly integrated with several other AWS services. This integration means that you can easily use AWS KMS master keys to encrypt the data you store with these services. You can use a default master key that is created for you automatically and usable only within the integrated service, or you can select a custom master key that you either created in KMS or imported from your own key management infrastructure and have permission to use.
|AWS product category||AWS services integrated with KMS|
|Compute||Amazon Lightsail*, Amazon EC2 SSM*, AWS Lambda|
Storage & Content Delivery
|Amazon S3, Amazon EBS, AWS Import/Export Snowball, AWS Storage Gateway
|Databases||Amazon RDS, Amazon Redshift, AWS Database Migration Service|
|Developer Tools||AWS CodeCommit*|
|Management Tools||AWS CloudTrail|
|Analytics||Amazon EMR, Amazon Kinesis Firehose
|Application Services||Amazon Elastic Transcoder, Amazon SES|
|Enterprise Applications||Amazon WorkSpaces, Amazon WorkMail|
*only supports AWS-managed KMS keys at this time.
AWS KMS is also integrated into the AWS SDK, the AWS Command Line Interface (CLI), and provides a RESTful API. When you use these interfaces to encrypt or decrypt data, encryption or decryption operations will happen automatically—you just select which KMS master key to use. In addition, KMS is integrated with AWS CloudFormation to let you quickly create keys in KMS using the CloudFormation template for KMS.
If you have AWS CloudTrail enabled for your AWS account, each use of a key that you store in KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, and the key used.
AWS Key Management Service is a managed service. As your usage of AWS KMS encryption keys grows, you do not have to buy additional key management infrastructure. AWS KMS automatically scales to meet your encryption key needs.
The master keys created on your behalf by AWS KMS or imported by you cannot be exported from the service. AWS KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability to help assure you that your keys will be available when you need to access them. If you import keys into KMS, you must securely maintain a copy of your keys so that you can re-import them at any time.
AWS KMS is deployed in multiple availability zones within an AWS region to provide high availability for your encryption keys.
AWS KMS is designed so that no one has access to your master keys. The service is built on systems that are designed to protect your master keys with extensive hardening techniques such as never storing plaintext master keys on disk, not persisting them in memory, and limiting which systems can access hosts that use keys. All access to update software on the service is controlled by a multi-party access control that is audited and reviewed by an independent group within Amazon.
To learn more about how AWS KMS works you can read the AWS Key Management Service whitepaper.
Security and quality controls in AWS KMS have been validated and certified by the following compliance schemes:
- AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports. You can request a copy of these reports from AWS Compliance.
- PCI DSS Level 1. For more details on PCI DSS compliant services in AWS, you can read the PCI DSS FAQs.
- ISO 27017. For more details on ISO 27017 compliant services in AWS, you can read the ISO-27017 FAQs.
- ISO 27018. For more details on ISO 27018 compliant services in AWS, you can read the ISO-27018 FAQs.
- ISO 9001. For more details on ISO 9001 compliant services in AWS, you can read the ISO-9001 FAQs.
- In evaluation for FIPS 140-2. For more details, you can view the FIPS 140-2 Implementation Under Test List.