Amazon Key Management Service Documentation

Amazon Key Management Service (KMS) gives you centralized control over the cryptographic keys used to protect your data. The service is integrated with other services of Amazon Web Services China Regions, allowing you to encrypt data you store in these services and control access to the keys that decrypt it. Amazon KMS is also integrated with Amazon CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. Amazon KMS enables developers to add encryption or digital signature functionality to their application code either directly or by using the Amazon SDK. The Amazon Encryption SDK supports Amazon KMS as a root key provider for developers who need to encrypt/decrypt data locally within their applications.

Amazon KMS provides you with centralized control over the lifecycle and permissions of your keys. You can create new keys and you can control who can manage keys separately from who can use them. As an alternative to using keys generated by Amazon KMS, you can import keys from your own key management infrastructure, or use keys stored in your Amazon CloudHSM cluster. You can choose automatic rotation of root keys generated in Amazon KMS once per year without the need to re-encrypt previously encrypted data. The service keeps older versions of the root key available to decrypt previously encrypted data. You can manage your root keys and audit their usage from the Amazon Management Console or by using the Amazon SDK or Amazon Command Line Interface (CLI).

* The option to import keys is not available for asymmetric keys.

Amazon KMS integrates with services of Amazon Web Services China Regions to encrypt data at rest, or to facilitate signing and verification using an Amazon KMS key. To protect data at rest, integrated services use envelope encryption, where a data key is used to encrypt data, and is itself encrypted under a KMS key stored in Amazon KMS. For signing and verification, integrated services use a key pair from an asymmetric KMS key in Amazon KMS. For more details about how an integrated service uses Amazon KMS, see the documentation for your service.

There are two types of KMS key resources that can be created in your Amazon Web Services account: (i) An Amazon Web Services Cloud managed KMS key can be created automatically when needed. You can list or inventory Amazon Web Services Cloud managed KMS keys and receive a record of their use in Amazon CloudTrail, but permissions for the resource are managed by the service it was created to be used with. (ii) A customer managed KMS key gives you the highest degree of control over the permissions and lifecycle of the key.

If you have Amazon CloudTrail enabled for your Amazon Web Services account, each request you make to Amazon KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled Amazon CloudTrail.

Amazon KMS is a fully managed service. As your use of encryption grows, the service automatically scales to meet your needs. It enables you to manage thousands of KMS keys in your account and to use them whenever you want. It defines default limits for number of keys and request rates, but you can request increased limits if necessary.

The KMS keys you create or ones that are created on your behalf by other services of Amazon Web Services China Regions cannot be exported from the service. To help ensure that your keys and your data is highly available, it stores multiple copies of encrypted versions of your keys.

If you import keys into the service, you maintain a secure copy of the KMS keys so that you can re-import them if they are not available when you need to use them. 

For encrypted data or digital signature workflows that move across China Regions, you can create KMS multi-Region keys, a set of interoperable keys with the same key material and key IDs that can be replicated into multiple China Regions.

Amazon KMS is designed to be a highly available service with a regional API endpoint. As most services of Amazon Web Services China Regions rely on it for encryption and decryption, it is architected to provide a level of availability that supports the rest of services and is backed by the Amazon KMS Service Level Agreement.

Security and quality controls in Amazon KMS have been validated and certified by compliance regimes including:

• Amazon Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports.
  
• PCI DSS Level 1.
  
• FIPS 140-2. The Amazon KMS cryptographic module is validated, or in the process of being validated, at FIPS 140-2 Level 2 overall with Level 3 for several other categories, including physical security
• FedRAMP.
  
• HIPAA. 

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.amazonaws.cn/en_us/. This additional information does not form part of the Documentation for purposes of the Sinnet Customer Agreement for Amazon Web Services (Beijing Region), Western Cloud Data Customer Agreement for Amazon Web Services (Ningxia Region) or other agreement between you and Sinnet or NWCD governing your use of services of Amazon Web Services China Regions.