AWS KMS is a managed service that enables you to easily encrypt your data. AWS KMS provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.
Q: Why should I use AWS KMS?
If you are a developer who needs to encrypt data in your applications, you should use the AWS Encryption SDK equipped with AWS KMS support to easily use and protect encryption keys. If you’re an IT administrator looking for a scalable key management infrastructure to support your developers and their growing number of applications, you should use AWS KMS to reduce your licensing costs and operational burden. If you’re responsible for proving data security for regulatory or compliance purposes, you should use AWS KMS to verify that data is encrypted consistently across the applications where it is used and stored.
Q: How do I get started with AWS KMS?
The easiest way is to get started using AWS KMS is to choose to encrypt your data within supported AWS services using AWS managed master keys that are automatically created in your account for each service. If you want full control over the management of your keys, including the ability to share access across accounts or services, you can create your own master keys in KMS. You can also use the master keys that you create in KMS directly within your own applications. AWS KMS can be accessed from the KMS console that is grouped under Security, Identity, & Compliance on the AWS Services home page of the AWS Console. KMS APIs can also be accessed directly through the AWS KMS Command Line Interface or AWS SDK for programmatic access. KMS APIs can be used indirectly to encrypt data within your own applications by using the AWS Encryption SDK. Visit the Getting Started page to learn more.
Q: What key management features are available in AWS KMS?
You can perform the following key management functions in AWS KMS:
• Create keys with a unique alias and description
• Define which IAM users and roles can manage keys
• Define which IAM users and roles can use keys to encrypt and decrypt data
• Choose to have AWS KMS automatically rotate your keys on an annual basis
• Temporarily disable keys so they cannot be used by anyone
• Re-enable disabled keys
• Delete keys that you no longer use
• Audit use of keys by inspecting logs in AWS CloudTrail
Q: How does AWS KMS work?
AWS KMS allows you to centrally manage and securely store your keys. These are known as customer master keys or, CMKs. These master keys are generated and protected by government-approved hardware security modules (HSMs) and are only ever used in plaintext within those modules. You can submit data directly to KMS to be encrypted or decrypted using these master keys. You set usage policies on these keys that determine which users can use them to encrypt and decrypt data under which conditions.
AWS KMS is integrated with AWS services and client-side toolkits that use a method known as envelope encryption to encrypt your data. Under this method, KMS generates data keys which are used to encrypt data and are themselves encrypted using your master keys in KMS. Data keys are not retained or managed by KMS. AWS services encrypt your data and store an encrypted copy of the data key along with the data it protects. When you ask an AWS service to decrypt your data, it requests KMS on your behalf to first decrypt the data key using the correct master key. If the user requesting data from the AWS service is authorized to decrypt under your master key policy, the service will receive the decrypted data key from KMS with which it can decrypt your data. All requests to use your master keys are logged in AWS CloudTrail so you can understand who used which master key under which conditions.
Q: Where is my data encrypted if I use AWS KMS?
There are typically three scenarios for how data is encrypted using AWS KMS. Firstly, you can use KMS APIs directly to encrypt and decrypt data using your master keys stored in KMS. Secondly, you can choose to have AWS services encrypt your data using your master keys stored in KMS. In this case data is encrypted using data keys that are protected by your master keys in KMS. Thirdly, you can use the AWS Encryption SDK that is integrated with AWS KMS to perform encryption within your own applications, whether they operate in AWS network or not.
Q: Which AWS cloud services are integrated with AWS KMS?
AWS KMS is seamlessly integrated with a range of AWS services to make encrypting data in those services as easy as checking a box. In some cases data is encrypted by default using keys that are stored in KMS but owned and managed by the AWS service. In other cases the master keys are owned and managed by you within your account. Some services give you the choice of managing the keys yourself or allowing the service to manage the keys on your behalf. See the list of AWS services currently integrated with KMS.
Q: Why use envelope encryption? Why not just send data to AWS KMS to encrypt directly?
While AWS KMS does support sending data less than 4 KB to be encrypted directly, envelope encryption can offer significant performance benefits. When you encrypt data directly with AWS KMS it must be transferred over the network. Envelope encryption reduces the network load since only the request and delivery of the much smaller data key goes over the network. The data key is used locally in your application or encrypting AWS service, avoiding the need to send the entire block of data to KMS and suffer network latency.
Q: What’s the difference between a master key I create and master keys created automatically for me by other AWS services?
You have the option of specifying a specific customer master key (CMK) to use when you want an AWS service to encrypt data on your behalf. These are known as customer managed CMKs and you have full control over them. You define the access and lifecycle policies for each key and you can grant permissions to other accounts to use them if you wish. You are billed for each month one of these keys exists in your account and you are billed for KMS API requests.
If you don’t specify a customer managed CMK, the service in question will create an AWS managed CMK the first time you try to create an encrypted resource within that service. AWS manages the access and lifecycle policies for AWS managed CMKs on your behalf; you aren’t allowed to modify anything about these types of keys. Also, users outside the account in which the AWS managed CMK exists cannot use this key. You can verify the AWS managed keys in your account and all usage is logged in AWS CloudTrail, but you have no direct control over the keys themselves. You are not billed for any of these keys that exist in your account. However, you are billed for KMS API requests.
Creating your own CMK in AWS KMS gives you more control than you have with AWS managed CMKs. When you create a customer managed CMK you can define an alias and description for the key and opt-in to have the key automatically rotated once per year. You also define all the permissions on the key to control who can use or manage the key, including users outside your account.
If you choose to have AWS KMS automatically rotate keys, you don’t have to re-encrypt your data. AWS KMS automatically keeps previous versions of keys to use for decryption of data encrypted under an old version of a key. All new encryption requests against a key in AWS KMS are encrypted under the newest version of that key.
Q: Can I delete a CMK from AWS KMS?
Yes. You can schedule deletion for a customer managed CMK and its associated metadata with a configurable waiting period from 7 to 30 days. This waiting period allows you to verify the impact of deleting a key on your applications and users that depend on it. The default waiting period is 30 days. You can cancel key deletion during the waiting period. The key cannot be used if it is scheduled for deletion until you cancel the deletion during the waiting period. The key gets deleted at the end of the configurable waiting period if you don’t cancel the deletion. Once a key is deleted, you can no longer use it. All data protected under a deleted master key is inaccessible.
Q: Can I use AWS KMS to help manage encryption of data outside of AWS services?
Yes. AWS KMS is supported in AWS SDKs, the AWS Encryption SDK, the Amazon DynamoDB Encryption Client, and the Amazon S3 Encryption Client to facilitate encryption of data within your own applications wherever they run. Visit the Developing on AWS websites for more information.
Q: Does AWS KMS offer a Service Level Agreement (SLA)?
Yes. The AWS KMS SLA provides for a service credit if a customer's monthly uptime percentage is below our service commitment in any billing cycle.
With AWS KMS, you pay only for what you use, there is no minimum fee. There are no set-up fees or commitments to begin using the service. At the end of the month, you will automatically be billed for that month’s usage.
You are billed for all customer managed (CMKs) you create, and for API requests made to the service each month. You are not charged for the existence of AWS managed CMKs created on your behalf, but you will be charged each time they are used.
For current pricing information, please visit the AWS KMS pricing page.
Q: Do your prices include taxes?
Except as otherwise noted, our prices are exclusive of applicable taxes, including applicable sales tax.
AWS KMS enforces access and lifecycle policies that you define. You choose to allow AWS Identity and Access Management (IAM) users and roles from your account or other accounts to use and manage your keys.
Q: How does AWS secure the master keys that I create inside AWS KMS?
AWS KMS is designed so that no one, including service operators, can retrieve your plaintext master keys from the service. The service uses government-approved hardware security modules (HSMs) to protect the confidentiality and integrity of your keys. Your master keys are never transmitted outside of the AWS region in which they were created and can only be used within that region.
Q: Are the HSMs used validated under FIPS 140-2 validated HSMs?
No, the HSMs used in the AWS China (Beijing) Region, operated by Sinnet and the AWS China (Ningxia) Region, operated by NWCD are approved for use by the Chinese government, but they are not validated under FIPS 140-2.
Q: How does AWS KMS secure the data keys I export and use in my application?
You can request that AWS KMS generate data keys and return them for use in your own application. The plaintext data key and a copy encrypted under the master key you define are returned together. This allows you to safely store the encrypted data key along with your data after encrypting it using the plaintext data key. Your encrypted data key (and therefore your source data) can only be decrypted by users with permissions to use the original master key to decrypt your encrypted data key.
Q: Can I export a master key from AWS KMS and use it in my own applications?
No. Master keys are created and used only within AWS KMS to help ensure their security, enable your policies to be consistently enforced, and provide a centralized log of their use.
Q: What geographic region are my keys stored in?
Master keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region.
Q: How can I tell who used or changed the configuration of my keys in AWS KMS?
Logs in AWS CloudTrail will show all KMS API requests, including both management requests (e.g. create, rotate, disable, policy edits) and cryptographic requests (e.g. encrypt/decrypt). Turn on AWS CloudTrail in your account to view these logs.