AWS Key Management Service (KMS)

Easily create and control the keys used to encrypt your data

AWS Key Management Service (KMS) makes it easy for you to create and manage encryption keys. You define permissions that control the use of your keys to access encrypted data across a wide range of AWS services and in your own applications. AWS KMS is a secure and resilient service that uses hardware security modules to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.


Fully managed

Avoid the need to build secure systems and to manage complex processes to protect your keys. KMS handles the full lifecycle of your keys so you can easily create, rotate, delete, and manage permissions on keys from the AWS Management Console or by using the AWS SDK or CLI.

Learn more »

Simplify encryption across AWS

Expand your use of encryption to protect your data. AWS KMS is integrated with AWS services to provide a control point to define and enforce access controls consistently across compute instances, databases, storage environments and tools such as data analytics and machine learning.

Learn more »

Easily deploy encryption yourself

Avoid risk and complexity as you build encryption into your own systems. Using simple APIs you can use AWS KMS as a centralized data encryption service. You can also build encryption capabilities directly into your applications using the AWS Encryption SDK and manage your keys through its integration with AWS KMS.

Confidence that your keys are secure

AWS manages the security controls required to protect your keys from unauthorized physical access. You manage the access policies and lifecycle of keys to protect them from unauthorized logical access. Your keys are protected by government-approved hardware security modules (HSMs). Once created, your master keys can only be used inside the government-approved HSMs. There are no mechanisms for anyone, including service operators, to export or view your keys.

Learn more »

Verify your keys are used correctly

AWS KMS is integrated with AWS CloudTrail to record all API requests. You can track and verify all attempts to use or manage your keys including encrypt and decrypt operations and changes that modify permissions. Logging API requests helps you manage risk, meet compliance requirements, and conduct forensic analysis.

Learn more »

Easy to get started

There is no commitment and no upfront charges to use AWS KMS. You are only charged when you use or manage your keys and you only pay to store keys that you create.

Learn more »

Check out the product features

Read about AWS Key Management Service security, compliance, and availability.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building with AWS Key Management Service in the AWS Console.

Sign in