AWS Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. AWS KMS is integrated with AWS services making it easy to encrypt data you store in these services and control access to the keys that decrypt it. AWS KMS is integrated with AWS CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS also enables developers to easily add encryption functionality to their application code either directly through encrypt and decrypt service APIs or through its integration with the AWS Encryption SDK.
Centralized Key Management
AWS Key Management Service provides you with centralized control of your encryption keys. Customer master keys (CMKs) are used to control access to data encryption keys that encrypt and decrypt your data. You can create new master keys whenever you wish, and easily manage who has access to them and which services they can be used with. You can also import keys from your own key management infrastructure into AWS KMS or use keys stored in your AWS CloudHSM cluster and manage them from AWS KMS. You can manage your master keys and audit usage from the AWS Management Console or by using the AWS SDK or AWS Command Line Interface (CLI).
The keys in AWS KMS, whether created within KMS, your CloudHSM cluster, or imported by you, are stored in highly durable storage in an encrypted format so that they can be used when needed. You can choose to have AWS KMS automatically rotate master keys created within KMS once per year without the need to re-encrypt data that has already been encrypted with your master key. You don’t need to keep track of older versions of your master keys as KMS keeps them available to decrypt previously encrypted data.
AWS Service Integration
AWS KMS is seamlessly integrated with most AWS services. This integration means that you can easily use KMS master keys to control the encryption of the data you store within these services. When deciding to encrypt data in a service, you can chose to use an AWS managed master key that is created in KMS for you automatically by that service. You can track the usage of the key but it is managed by the service on your behalf.
If you need direct control over the lifecycle of a master key or wish to allow other accounts to use it, you can create and manage your own master keys that can be used on your behalf by AWS services. These customer managed master keys give you full control over the access permissions that determine who can use the key and under which conditions.
|Alexa for Business*||Amazon EMR||Amazon S3|
|Amazon Athena||Amazon FSx for Windows File Server||Amazon SageMaker|
|Amazon Aurora||Amazon Glacier||Amazon Simple Email Service (SES)|
|Amazon CloudWatch Logs||Amazon Kinesis Data Streams||Amazon Relational Database Service (RDS)|
|Amazon Comprehend*||Amazon Kinesis Firehose||Amazon Simple Notification Service (SNS)|
|Amazon Connect||Amazon Kinesis Video Streams||Amazon Simple Queue Service (SQS)|
|Amazon DocumentDB||Amazon Lex||Amazon Translate|
|Amazon DynamoDB*||Amazon Lightsail*||Amazon WorkMail|
|Amazon DynamoDB Accelerator (DAX)*||Amazon Managed Streaming for Kafka (MSK)||Amazon WorkSpaces|
|Amazon EBS||Amazon MQ||AWS Backup|
|Amazon EFS||Amazon Neptune||AWS Certificate Manager*|
|Amazon Elastic Transcoder||Amazon Personalize||AWS Cloud9*|
|Amazon Elasticsearch Service||Amazon Redshift||AWS CloudTrail|
|AWS CodeCommit*||AWS Glue||AWS Snowball Edge|
|AWS CodeDeploy||AWS Lambda||AWS Snowmobile|
|AWS CodePipeline||AWS Secrets Manager||AWS Storage Gateway|
|AWS CodeBuild||AWS Systems Manager||AWS X-Ray|
|AWS Database Migration Service||AWS Snowball|
*Supports only AWS managed KMS keys.
** For list of services integrated with KMS in the AWS China (Beijing) Region, operated by Sinnet and the AWS China (Ningxia) Region, operated by NWCD, please visit AWS KMS Service integration in China.
AWS services not listed above encrypt customer data using keys owned and managed by the respective service.
If you have AWS CloudTrail enabled for your AWS account, each request you make to AWS KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, API action and, when relevant, the key used.
Scalability, Durability, and High Availability
AWS KMS is a fully managed service. As your use of encryption grows, KMS automatically scales to meet your needs. AWS KMS enables you to manage thousands of master keys in your account and to use them whenever you want. AWS KMS defines default limits for number of keys and request rates, but you can request increased limits if necessary.
The master keys you create in AWS KMS or ones that are created on your behalf by other AWS services cannot be exported from the service. Therefore KMS takes responsibility for their durability. To help ensure that your keys and your data is highly available, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.
If you import keys into KMS, you maintain a secure copy of the master keys so that you can re-import them if they are not available when you need to use them. If you use the custom key store feature in KMS to create your master keys in an AWS CloudHSM cluster, encrypted copies of your keys are automatically backed up and you have full control over the recovery process.
AWS KMS is designed to be a highly available service with a regional API endpoint. As most AWS services rely on AWS KMS for encryption and decryption, it is architected to provide a level of availability that supports the rest of AWS and is backed by the AWS KMS Service Level Agreement.
AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext keys from the service. The service uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to protect the confidentiality and integrity of your keys regardless of whether you request KMS to create keys on your behalf, create them in an AWS CloudHSM cluster, or import them into the service. Your plaintext keys are never written to disk and only ever used in volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. Keys created by KMS are never transmitted outside of the AWS region in which they were created and can only be used in the region in which they were created. Updates to the KMS HSM firmware is controlled by multi-party access control that is audited and reviewed by an independent group within Amazon as well as a NIST accredited lab in compliance with FIPS 140-2.
To learn more about how AWS KMS is architected and the cryptography it uses to secure your keys, read the AWS Key Management Service Cryptographic Details whitepaper.
* In the AWS China (Beijing) Region, operated by Sinnet and the AWS China (Ningxia) Region, operated by NWCD, the HSMs are Chinese government approved (not FIPS 140-2 validated), and the Cryptographic Details Whitepaper mentioned above does not apply.
Custom Key Store
AWS KMS provides the option for you to create your own key store using HSMs that you control. Each custom key store is backed by an AWS CloudHSM cluster. When you create a KMS customer master key (CMK) in a custom key store, KMS generates and stores non-extractable key material for the CMK in an AWS CloudHSM cluster that you own and manage. When you use a CMK in a custom key store, the cryptographic operations under that key are performed in your CloudHSM cluster.
Master keys that are stored in a custom key store rather than the default KMS key store are managed in the same way as any other master key in KMS and can be used by any AWS service that supports customer managed CMKs.
The use of a custom key store involves the additional cost of the CloudHSM cluster and makes you responsible for the availability of the key material in that cluster. For guidance on whether custom key stores are a good fit for your requirements you can read this blog.
* The Custom Key Store feature is not available in the AWS China (Beijing) Region, operated by Sinnet and the AWS China (Ningxia) Region, operated by NWCD.
Security and quality controls in AWS KMS have been validated and certified by the following compliance schemes:
- AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports. You can download a copy of these reports from AWS Artifact.
- PCI DSS Level 1. For more details on PCI DSS compliant services in AWS, you can read the PCI DSS FAQs.
- ISO 27001. For more details on ISO 27001 compliant services in AWS, you can read the ISO 27001 FAQs.
- ISO 27017. For more details on ISO 27017 compliant services in AWS, you can read the ISO-27017 FAQs.
- ISO 27018. For more details on ISO 27018 compliant services in AWS, you can read the ISO-27018 FAQs.
- ISO 9001. For more details on ISO 9001 compliant services in AWS, you can read the ISO-9001 FAQs.
- FIPS 140-2. The AWS KMS cryptographic module running firmware version 1.4.4 is validated at FIPS 140-2 Level 2 overall with Level 3 for several other categories, including physical security. For more details, you can view the FIPS 140-2 certificate for AWS KMS HSM along with the associated Security Policy.
- FedRAMP. You can get more details on AWS FedRAMP compliance at FedRAMP Compliance.
- HIPAA. For more details, you can visit the HIPAA Compliance page.