AWS Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. Master keys are created as resources in your own account and are used to control access to data encryption keys that encrypt and decrypt your data. You can create new master keys, and easily control who can use or manage them. AWS KMS is integrated with other AWS services making it easy to encrypt data you store in those services and control access to the keys that can decrypt it.

You can manage your master keys from the AWS Management Console or by using the AWS SDK or AWS Command Line Interface (CLI). AWS KMS is integrated with AWS CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS also enables developers to easily add encryption functionality to their application code either directly through encrypt and decrypt APIs or through its integration with the AWS Encryption SDK.

Government-approved Hardware Protected Keys

AWS KMS is designed so that no one, including the service operators, can retrieve plaintext master keys from the service. The service uses government-approved hardware security modules (HSMs) to protect the confidentiality and integrity of your keys. Your KMS master keys are never transmitted outside of the AWS region in which they were created and can only be used within that region.


To help ensure that your keys are never lost and that your data is always retrievable, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.

High Availability

AWS KMS is designed to be a highly available service by using a redundant architecture spanning multiple availability zones in each region. As most AWS services rely on AWS KMS for their ability to encrypt and decrypt customer data, KMS is architected to provide the necessary level of availability to support the rest of AWS and is backed by the AWS KMS Service Level Agreement.

On-demand Scalability

Start with a single master key and add more as you need them. With AWS KMS you can create and manage as many master keys as you need, and you can request an unlimited number of data keys for use in your local applications. We support high request rates at low latency to satisfy your workloads within and outside AWS.

Automatic Key Rotation

You can choose to have AWS KMS automatically rotate your master keys once per year without the need to re-encrypt data that was already encrypted. After rotating keys, KMS automatically saves older versions of your key material so that you can decrypt previously encrypted data.

AWS Service Integration

The following AWS services are integrated with AWS KMS. These services use AWS KMS customer master keys (CMKs) in your account to protect the data that the service receives, stores, or manages for you. Each service lets you choose a CMK that you create and manage, or a CMK that the service creates and manages on your behalf.

Amazon Athena Amazon Neptune AWS CloudTrail
Amazon Aurora Amazon Redshift AWS CodeBuild
Amazon DynamoDB Amazon Relational Database Service (RDS) AWS CodeCommit
Amazon DynamoDB Accelerator (DAX) Amazon S3 AWS Database Migration Service
Amazon EBS Amazon SageMaker AWS Glue
Amazon EC2 Image Builder Amazon Simple Notification Service (SNS) AWS Lambda
Amazon EFS Amazon Simple Queue Service (SQS) AWS Secrets Manager
Amazon ElastiCache Amazon Transcribe AWS Storage Gateway
Amazon Elasticsearch Amazon Workspaces AWS Systems Manager
Amazon Elastic Kubernetes Service (EKS) AWS Backup AWS X-Ray
Amazon EMR AWS Certificate Manager  
Amazon Managed Streaming for Kafka (MSK) AWS Cloud9  

Comprehensive Auditing

If you have AWS CloudTrail enabled for your AWS account, each request you make to AWS KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, API action and, when relevant, the key used.

Learn more about product pricing

See pricing examples and calculate your costs.

Learn more 
Sign up for a free account

Instantly get access to the AWS Free Tier. 

Sign up 
Start building in the console

Get started building with AWS Key Management Service in the AWS Console.

Sign in