Skip to main content

Amazon Key Management Service

  • Products
  • Amazon Key Management Service (KMS)

Amazon Key Management Service FAQs

Page topics

General

Open all

Amazon KMS is a managed service that enables you to easily encrypt your data. Amazon KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across Amazon Web Services services.

If you are a developer who needs to encrypt data in your applications, you should use the Amazon Web Services Encryption SDK equipped with Amazon KMS support to easily use and protect encryption keys. If you’re an IT administrator looking for a scalable key management infrastructure to support your developers and their growing number of applications, you should use Amazon KMS to reduce your licensing costs and operational burden. If you’re responsible for proving data security for regulatory or compliance purposes, you should use Amazon KMS to verify that data is encrypted consistently across the applications where it is used and stored.

The easiest way is to get started using Amazon KMS is to choose to encrypt your data within supported Amazon Web Services services using Amazon Web Services managed master keys that are automatically created in your account for each service. If you want full control over the management of your keys, including the ability to share access across accounts or services, you can create your own master keys in KMS. You can also use the master keys that you create in KMS directly within your own applications. Amazon KMS can be accessed from the KMS console that is grouped under Security, Identity, & Compliance on the Amazon Services home page of the Amazon Web Services Console. KMS APIs can also be accessed directly through the Amazon KMS Command Line Interface or Amazon SDK for programmatic access. KMS APIs can be used indirectly to encrypt data within your own applications by using the Amazon Encryption SDK. Visit the Getting Started page to learn more.

You can perform the following key management functions in Amazon KMS:
• Create keys with a unique alias and description
• Define which IAM users and roles can manage keys
• Define which IAM users and roles can use keys to encrypt and decrypt data
• Choose to have Amazon KMS automatically rotate your keys on an annual basis
• Temporarily disable keys so they cannot be used by anyone
• Re-enable disabled keys
• Delete keys that you no longer use
• Audit use of keys by inspecting logs in Amazon CloudTrail

Amazon KMS allows you to centrally manage and securely store your keys. These are known as customer master keys or, CMKs. These master keys are generated and protected by government-approved hardware security modules (HSMs) and are only ever used in plaintext within those modules. You can submit data directly to KMS to be encrypted or decrypted using these master keys. You set usage policies on these keys that determine which users can use them to encrypt and decrypt data under which conditions.
Amazon KMS is integrated with Amazon Web Services services and client-side toolkits that use a method known as envelope encryption to encrypt your data. Under this method, KMS generates data keys which are used to encrypt data and are themselves encrypted using your master keys in KMS. Data keys are not retained or managed by KMS. Amazon services encrypt your data and store an encrypted copy of the data key along with the data it protects. When you ask an Amazon Web Services service to decrypt your data, it requests KMS on your behalf to first decrypt the data key using the correct master key. If the user requesting data from the Amazon Web Services service is authorized to decrypt under your master key policy, the service will receive the decrypted data key from KMS with which it can decrypt your data. All requests to use your master keys are logged in Amazon CloudTrail so you can understand who used which master key under which conditions.

There are typically three scenarios for how data is encrypted using Amazon KMS. Firstly, you can use KMS APIs directly to encrypt and decrypt data using your master keys stored in KMS. Secondly, you can choose to have Amazon Web Services services encrypt your data using your master keys stored in KMS. In this case data is encrypted using data keys that are protected by your master keys in KMS. Thirdly, you can use the Amazon Web Services Encryption SDK that is integrated with Amazon Web Services KMS to perform encryption within your own applications, whether they operate in Amazon Web Services network or not.

Amazon KMS is seamlessly integrated with a range of Amazon Web Services services to make encrypting data in those services as easy as checking a box. In some cases data is encrypted by default using keys that are stored in KMS but owned and managed by the Amazon Web Services service. In other cases the master keys are owned and managed by you within your account. Some services give you the choice of managing the keys yourself or allowing the service to manage the keys on your behalf. See the list of Amazon Web Services services currently integrated with KMS.

While Amazon KMS does support sending data less than 4 KB to be encrypted directly, envelope encryption can offer significant performance benefits. When you encrypt data directly with Amazon KMS it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller data key goes over the network. The data key is used locally in your application or encrypting Amazon Web Services service, avoiding the need to send the entire block of data to KMS and suffer network latency.

You have the option of specifying a specific customer master key (CMK) to use when you want an Amazon Web Services service to encrypt data on your behalf. These are known as customer managed CMKs and you have full control over them. You define the access and lifecycle policies for each key and you can grant permissions to other accounts to use them if you wish. You are billed for each month one of these keys exists in your account and you are billed for KMS API requests.

If you don’t specify a customer managed CMK, the service in question will create an Amazon Web Services managed CMK the first time you try to create an encrypted resource within that service. Amazon Web Services manages the access and lifecycle policies for Amazon Web Services managed CMKs on your behalf; you aren’t allowed to modify anything about these types of keys. Also, users outside the account in which the Amazon Web Services managed CMK exists cannot use this key. You can verify the Amazon Web Services managed keys in your account and all usage is logged in Amazon CloudTrail, but you have no direct control over the keys themselves. You are not billed for any of these keys that exist in your account. However, you are billed for KMS API requests.

Creating your own CMK in Amazon KMS gives you more control than you have with Amazon Web Services managed CMKs. When you create a customer managed CMK you can define an alias and description for the key and opt-in to have the key automatically rotated once per year. You also define all the permissions on the key to control who can use or manage the key, including users outside your account.

Yes. You can import a copy of your key from your own key management infrastructure to Amazon KMS and use it with any integrated Amazon service or from within your own applications. You cannot import asymmetric CMKs into Amazon KMS.

Yes. You can choose to have KMS automatically rotate KMS keys in a configurable range of days (from 90 days to 2560 days (7 years) or use the RotateKeyOnDemand API to invoke immediate key rotation (lifetime limit of 10 on-demand rotations per key).

If you choose to have Amazon KMS automatically rotate keys, you don’t have to re-encrypt your data. Amazon KMS automatically keeps previous versions of keys to use for decryption of data encrypted under an old version of a key. All new encryption requests against a key in Amazon KMS are encrypted under the newest version of that key.


Yes. You can schedule deletion for a customer managed CMK and its associated metadata with a configurable waiting period from 7 to 30 days. This waiting period allows you to verify the impact of deleting a key on your applications and users that depend on it. The default waiting period is 30 days. You can cancel key deletion during the waiting period. The key cannot be used if it is scheduled for deletion until you cancel the deletion during the waiting period. The key gets deleted at the end of the configurable waiting period if you don’t cancel the deletion. Once a key is deleted, you can no longer use it. All data protected under a deleted master key is inaccessible.

Yes. Amazon KMS is supported in Amazon SDKs, the Amazon Web Services Encryption SDK, the Amazon DynamoDB Encryption Client, and the Amazon S3 Encryption Client to facilitate encryption of data within your own applications wherever they run. Visit the Developing on Amazon Web Services websites for more information.

You can create up to 10,000 CMKs per account per region by default. This is a soft limit that can be raised if you wish. As both enabled and disabled CMKs count towards the limit, we recommend deleting keys that you no longer use. Amazon Web Services managed CMKs created on your behalf for use within supported Amazon Web Services services do not count against this limit. There is no limit to the number of data keys that can be generated and protected under a CMK. You may request a limit increase for customer master keys by visiting the Amazon Support Center .

Yes. The Amazon KMS SLA provides for a service credit if a customer's monthly uptime percentage is below our service commitment in any billing cycle.

Billing

Open all

With Amazon KMS, you pay only for what you use, there is no minimum fee. There are no set-up fees or commitments to begin using the service. At the end of the month, you will automatically be billed for that month’s usage.
You are billed for all customer managed (CMKs) you create, and for API requests made to the service each month. You are not charged for the existence of Amazon Web Services managed CMKs created on your behalf, but you will be charged each time they are used.
For current pricing information, please visit the Amazon KMS pricing page .

Except as otherwise noted, our prices are exclusive of applicable taxes, including applicable sales tax.

Security

Open all

Amazon KMS enforces access and lifecycle policies that you define. You choose to allow Amazon Web Services Identity and Access Management (IAM) users and roles from your account or other accounts to use and manage your keys.

Amazon KMS is designed so that no one, including service operators, can retrieve your plaintext master keys from the service. The service uses government-approved hardware security modules (HSMs) to protect the confidentiality and integrity of your keys. Your master keys are never transmitted outside of the Amazon Web Services region in which they were created and can only be used within that region.

No, the HSMs used in the Amazon Web Services China (Beijing) Region, operated by Sinnet and the Amazon Web Services China (Ningxia) Region, operated by NWCD are approved for use by the Chinese government, but they are not validated under FIPS 140-2.

You can request that Amazon KMS generate data keys and return them for use in your own application. The plaintext data key and a copy encrypted under the master key you define are returned together. This allows you to safely store the encrypted data key along with your data after encrypting it using the plaintext data key. Your encrypted data key (and therefore your source data) can only be decrypted by users with permissions to use the original master key to decrypt your encrypted data key.

No. Master keys are created and used only within Amazon KMS to help ensure their security, enable your policies to be consistently enforced, and provide a centralized log of their use.

Master keys generated by Amazon KMS are only stored and used in the region in which they were created. They cannot be transferred to another region.

Logs in Amazon CloudTrail will show all KMS API requests, including both management requests (e.g. create, rotate, disable, policy edits) and cryptographic requests (e.g. encrypt/decrypt). Turn on Amazon CloudTrail in your account to view these logs.