Revisit Amazon Web Services re:Invent 2024’s biggest moments and watch keynotes and innovation talks on demand
General
Amazon KMS is a managed service that enables you to easily encrypt your data. Amazon KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across Amazon Web Services services.
Q: Why should I use Amazon KMS?
If you are a developer who needs to encrypt data in your applications, you should use the Amazon Web Services Encryption SDK equipped with Amazon KMS support to easily use and protect encryption keys. If you’re an IT administrator looking for a scalable key management infrastructure to support your developers and their growing number of applications, you should use Amazon KMS to reduce your licensing costs and operational burden. If you’re responsible for proving data security for regulatory or compliance purposes, you should use Amazon KMS to verify that data is encrypted consistently across the applications where it is used and stored.
Q: How do I get started with Amazon KMS?
The easiest way is to get started using Amazon KMS is to choose to encrypt your data within supported Amazon Web Services services using Amazon Web Services managed master keys that are automatically created in your account for each service. If you want full control over the management of your keys, including the ability to share access across accounts or services, you can create your own master keys in KMS. You can also use the master keys that you create in KMS directly within your own applications. Amazon KMS can be accessed from the KMS console that is grouped under Security, Identity, & Compliance on the Amazon Services home page of the Amazon Web Services Console. KMS APIs can also be accessed directly through the Amazon KMS Command Line Interface or Amazon SDK for programmatic access. KMS APIs can be used indirectly to encrypt data within your own applications by using the Amazon Encryption SDK. Visit the Getting Started page to learn more.
Q: What key management features are available in Amazon KMS?
You can perform the following key management functions in Amazon KMS:
• Create keys with a unique alias and description
• Define which IAM users and roles can manage keys
• Define which IAM users and roles can use keys to encrypt and decrypt data
• Choose to have Amazon KMS automatically rotate your keys on an annual basis
• Temporarily disable keys so they cannot be used by anyone
• Re-enable disabled keys
• Delete keys that you no longer use
• Audit use of keys by inspecting logs in Amazon CloudTrail
Q: How does Amazon KMS work?
Amazon KMS allows you to centrally manage and securely store your keys. These are known as customer master keys or, CMKs. These master keys are generated and protected by government-approved hardware security modules (HSMs) and are only ever used in plaintext within those modules. You can submit data directly to KMS to be encrypted or decrypted using these master keys. You set usage policies on these keys that determine which users can use them to encrypt and decrypt data under which conditions.
Amazon KMS is integrated with Amazon Web Services services and client-side toolkits that use a method known as envelope encryption to encrypt your data. Under this method, KMS generates data keys which are used to encrypt data and are themselves encrypted using your master keys in KMS. Data keys are not retained or managed by KMS. Amazon services encrypt your data and store an encrypted copy of the data key along with the data it protects. When you ask an Amazon Web Services service to decrypt your data, it requests KMS on your behalf to first decrypt the data key using the correct master key. If the user requesting data from the Amazon Web Services service is authorized to decrypt under your master key policy, the service will receive the decrypted data key from KMS with which it can decrypt your data. All requests to use your master keys are logged in Amazon CloudTrail so you can understand who used which master key under which conditions.
Q: Where is my data encrypted if I use Amazon KMS?
There are typically three scenarios for how data is encrypted using Amazon KMS. Firstly, you can use KMS APIs directly to encrypt and decrypt data using your master keys stored in KMS. Secondly, you can choose to have Amazon Web Services services encrypt your data using your master keys stored in KMS. In this case data is encrypted using data keys that are protected by your master keys in KMS. Thirdly, you can use the Amazon Web Services Encryption SDK that is integrated with Amazon Web Services KMS to perform encryption within your own applications, whether they operate in Amazon Web Services network or not.
Q: Which Amazon Web Services cloud services are integrated with Amazon KMS?
Amazon KMS is seamlessly integrated with a range of Amazon Web Services services to make encrypting data in those services as easy as checking a box. In some cases data is encrypted by default using keys that are stored in KMS but owned and managed by the Amazon Web Services service. In other cases the master keys are owned and managed by you within your account. Some services give you the choice of managing the keys yourself or allowing the service to manage the keys on your behalf. See the list of Amazon Web Services services currently integrated with KMS.
Q: Why use envelope encryption? Why not just send data to Amazon KMS to encrypt directly?
While Amazon KMS does support sending data less than 4 KB to be encrypted directly, envelope encryption can offer significant performance benefits. When you encrypt data directly with Amazon KMS it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller data key goes over the network. The data key is used locally in your application or encrypting Amazon Web Services service, avoiding the need to send the entire block of data to KMS and suffer network latency.
Q: What’s the difference between a master key I create and master keys created automatically for me by other Amazon Web Services services?
You have the option of specifying a specific customer master key (CMK) to use when you want an Amazon Web Services service to encrypt data on your behalf. These are known as customer managed CMKs and you have full control over them. You define the access and lifecycle policies for each key and you can grant permissions to other accounts to use them if you wish. You are billed for each month one of these keys exists in your account and you are billed for KMS API requests.
If you don’t specify a customer managed CMK, the service in question will create an Amazon Web Services managed CMK the first time you try to create an encrypted resource within that service. Amazon Web Services manages the access and lifecycle policies for Amazon Web Services managed CMKs on your behalf; you aren’t allowed to modify anything about these types of keys. Also, users outside the account in which the Amazon Web Services managed CMK exists cannot use this key. You can verify the Amazon Web Services managed keys in your account and all usage is logged in Amazon CloudTrail, but you have no direct control over the keys themselves. You are not billed for any of these keys that exist in your account. However, you are billed for KMS API requests.
Creating your own CMK in Amazon KMS gives you more control than you have with Amazon Web Services managed CMKs. When you create a customer managed CMK you can define an alias and description for the key and opt-in to have the key automatically rotated once per year. You also define all the permissions on the key to control who can use or manage the key, including users outside your account.
If you choose to have Amazon KMS automatically rotate keys, you don’t have to re-encrypt your data. Amazon KMS automatically keeps previous versions of keys to use for decryption of data encrypted under an old version of a key. All new encryption requests against a key in Amazon KMS are encrypted under the newest version of that key.
Q: Can I delete a CMK from Amazon KMS?
Yes. You can schedule deletion for a customer managed CMK and its associated metadata with a configurable waiting period from 7 to 30 days. This waiting period allows you to verify the impact of deleting a key on your applications and users that depend on it. The default waiting period is 30 days. You can cancel key deletion during the waiting period. The key cannot be used if it is scheduled for deletion until you cancel the deletion during the waiting period. The key gets deleted at the end of the configurable waiting period if you don’t cancel the deletion. Once a key is deleted, you can no longer use it. All data protected under a deleted master key is inaccessible.
Q: Can I use Amazon KMS to help manage encryption of data outside of Amazon Web Services services?
Yes. Amazon KMS is supported in Amazon SDKs, the Amazon Web Services Encryption SDK, the Amazon DynamoDB Encryption Client, and the Amazon S3 Encryption Client to facilitate encryption of data within your own applications wherever they run. Visit the Developing on Amazon Web Services websites for more information.
Q: Does Amazon KMS offer a Service Level Agreement (SLA)?
Yes. The Amazon KMS SLA provides for a service credit if a customer's monthly uptime percentage is below our service commitment in any billing cycle.
Billing
With Amazon KMS, you pay only for what you use, there is no minimum fee. There are no set-up fees or commitments to begin using the service. At the end of the month, you will automatically be billed for that month’s usage.
You are billed for all customer managed (CMKs) you create, and for API requests made to the service each month. You are not charged for the existence of Amazon Web Services managed CMKs created on your behalf, but you will be charged each time they are used.
For current pricing information, please visit the Amazon KMS pricing page.
Q: Do your prices include taxes?
Except as otherwise noted, our prices are exclusive of applicable taxes, including applicable sales tax.
Security
Amazon KMS enforces access and lifecycle policies that you define. You choose to allow Amazon Web Services Identity and Access Management (IAM) users and roles from your account or other accounts to use and manage your keys.
Q: How does Amazon secure the master keys that I create inside Amazon Web Services KMS?
Amazon KMS is designed so that no one, including service operators, can retrieve your plaintext master keys from the service. The service uses government-approved hardware security modules (HSMs) to protect the confidentiality and integrity of your keys. Your master keys are never transmitted outside of the Amazon Web Services region in which they were created and can only be used within that region.
Q: Are the HSMs used validated under FIPS 140-2 validated HSMs?
No, the HSMs used in the Amazon Web Services China (Beijing) Region, operated by Sinnet and the Amazon Web Services China (Ningxia) Region, operated by NWCD are approved for use by the Chinese government, but they are not validated under FIPS 140-2.
Q: How does Amazon KMS secure the data keys I export and use in my application?
You can request that Amazon KMS generate data keys and return them for use in your own application. The plaintext data key and a copy encrypted under the master key you define are returned together. This allows you to safely store the encrypted data key along with your data after encrypting it using the plaintext data key. Your encrypted data key (and therefore your source data) can only be decrypted by users with permissions to use the original master key to decrypt your encrypted data key.
Q: Can I export a master key from Amazon KMS and use it in my own applications?
No. Master keys are created and used only within Amazon KMS to help ensure their security, enable your policies to be consistently enforced, and provide a centralized log of their use.
Q: What geographic region are my keys stored in?
Master keys generated by Amazon KMS are only stored and used in the region in which they were created. They cannot be transferred to another region.
Q: How can I tell who used or changed the configuration of my keys in Amazon KMS?
Logs in Amazon CloudTrail will show all KMS API requests, including both management requests (e.g. create, rotate, disable, policy edits) and cryptographic requests (e.g. encrypt/decrypt). Turn on Amazon CloudTrail in your account to view these logs.
Get started building with Amazon Key Management Service in the Amazon Web Services Console.