AWS Key Management Service gives you centralized control over the encryption keys used to protect your data. You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data. AWS Key Management Service is integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control. AWS KMS is integrated with AWS CloudTrail which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS enables developers to easily encrypt data, whether through 1-click encryption in the AWS Management Console, or using the AWS SDK to easily add encryption in their application code.

Try AWS Key Management Service

Get Started with AWS
Or Sign In to the Console

Create your free account with Amazon Web Services and receive 12 months of access to free products and services.

View AWS Free Tier Details »

AWS Key Management Service provides you with centralized control of your encryption keys. You can easily create, import, and rotate keys as well as define usage policies and audit usage from the AWS Management Console or by using the AWS SDK or CLI. The master keys in KMS, whether imported by you or created on your behalf by KMS, are stored in highly durable storage in an encrypted format to help ensure that they can be retrieved when needed. You can choose to have KMS automatically rotate master keys created in KMS once per year without the need to re-encrypt data that has already been encrypted with your master key. You don’t need to keep track of older versions of your master keys as KMS keeps them available to decrypt previously encrypted data. You can create new master keys, and control who has access to those keys and which services they can be used with whenever you wish. You can also import keys from your own key management infrastructure and use them in KMS.

AWS Key Management Service is seamlessly integrated with most other AWS services. This integration means that you can easily use AWS KMS master keys to encrypt the data you store with these services. You can use a default master key that is created for you automatically and usable only within the integrated service, or you can select a custom master key that you either created in KMS or imported from your own key management infrastructure and have permission to use.

AWS product category AWS services integrated with KMS
Compute Amazon Lightsail*, Amazon EC2 SSM, AWS Lambda

Storage & Content Delivery

Amazon S3, Amazon EBS, AWS Import/Export Snowball, AWS Storage Gateway, Amazon EFS
Databases Amazon RDS, Amazon Redshift, AWS Database Migration Service, Amazon DynamoDB*
Developer Tools AWS CodeCommit*, AWS CodeBuild**, AWS CodeDeploy**, AWS CodePipeline**, AWS Cloud9*
Management Tools AWS CloudTrail, Amazon CloudWatch Logs**
Analytics Amazon EMR, Amazon Kinesis Firehose, Amazon Kinesis Streams, Amazon Athena, Amazon Elasticsearch Service
Application Services Amazon Elastic Transcoder, Amazon SES, Amazon SQS
Media Services Amazon Kinesis Video Streams
Enterprise Applications Amazon WorkSpaces, Amazon WorkMail
Business Productivity Alexa for Business*
Security, Identity & Compliance AWS Certificate Manager*
Contact Center Amazon Connect
Machine Learning Amazon SageMaker

*only supports AWS-managed KMS keys at this time. 
**only support customer-managed KMS keys at this time.

AWS KMS is also integrated into the AWS SDK, the AWS Command Line Interface (CLI), and provides a RESTful API. When you use these interfaces to encrypt or decrypt data, encryption or decryption operations will happen automatically—you just select which KMS master key to use. In addition, KMS is integrated with AWS CloudFormation to let you quickly create keys in KMS using the CloudFormation template for KMS.

If you have AWS CloudTrail enabled for your AWS account, each use of a key that you store in KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, and the key used.

AWS Key Management Service is a managed service. As your usage of AWS KMS encryption keys grows, you do not have to buy additional key management infrastructure. AWS KMS automatically scales to meet your encryption key needs.

The master keys created on your behalf by AWS KMS or imported by you cannot be exported from the service. AWS KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability to help assure you that your keys will be available when you need to access them. If you import keys into KMS, you must securely maintain a copy of your keys so that you can re-import them at any time.

AWS KMS is deployed in multiple availability zones within an AWS region to provide high availability for your encryption keys.

AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext keys from the service. The service uses FIPS 140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of your keys regardless of whether you request KMS to create keys on your behalf or you import them into the service. Your plaintext keys are never written to disk and only ever used in volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. KMS keys are never transmitted outside of the AWS regions in which they were created. Updates to the KMS HSM firmware is controlled by multi-party access control that is audited and reviewed by an independent group within Amazon.

To learn more about how AWS KMS works you can read the AWS Key Management Service whitepaper.

Security and quality controls in AWS KMS have been validated and certified by the following compliance schemes:

  • AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports. You can download a copy of these reports from AWS Artifact.
  • PCI DSS Level 1. For more details on PCI DSS compliant services in AWS, you can read the PCI DSS FAQs.
  • ISO 27001. For more details on ISO 27001 compliant services in AWS, you can read the ISO 27001 FAQs.
  • ISO 27017. For more details on ISO 27017 compliant services in AWS, you can read the ISO-27017 FAQs.
  • ISO 27018. For more details on ISO 27018 compliant services in AWS, you can read the ISO-27018 FAQs.
  • ISO 9001. For more details on ISO 9001 compliant services in AWS, you can read the ISO-9001 FAQs.
  • Cryptographic module running firmware version 1.4.3 is validated at FIPS 140-2 Level 2 overall with Level 3 for several other categories, including physical security. For more details, you can view the FIPS 140-2 certificate for AWS KMS HSM along with the associated Security Policy.
  • FedRAMP. You can get more details on AWS FedRAMP compliance at FedRAMP Compliance
  • HIPAA-eligible. For more details, you can visit the HIPAA Compliance page.