Overview

Amazon Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. Master keys are created as resources in your own account and are used to control access to data encryption keys that encrypt and decrypt your data. You can create new master keys, and easily control who can use or manage them. Amazon KMS is integrated with other Amazon Web Services services making it easy to encrypt data you store in those services and control access to the keys that can decrypt it.

You can manage your master keys from the Amazon Web Services Management Console or by using the Amazon SDK or Amazon Command Line Interface (CLI). Amazon KMS is integrated with Amazon CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. Amazon KMS also enables developers to easily add encryption functionality to their application code either directly through encrypt and decrypt APIs or through its integration with the Amazon Web Services Encryption SDK.

Government-approved Hardware Protected Keys

Amazon KMS is designed so that no one, including the service operators, can retrieve plaintext master keys from the service. The service uses government-approved hardware security modules (HSMs) to protect the confidentiality and integrity of your keys. Your KMS master keys are never transmitted outside of the Amazon Web Services region in which they were created and can only be used within that region.

Durability

To help ensure that your keys are never lost and that your data is always retrievable, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.

High Availability

Amazon KMS is designed to be a highly available service by using a redundant architecture spanning multiple availability zones in each region. As most Amazon Web Services services rely on Amazon KMS for their ability to encrypt and decrypt customer data, KMS is architected to provide the necessary level of availability to support the rest of Amazon Web Services and is backed by the Amazon KMS Service Level Agreement.

On-demand Scalability

Start with a single master key and add more as you need them. With Amazon KMS you can create and manage as many master keys as you need, and you can request an unlimited number of data keys for use in your local applications. We support high request rates at low latency to satisfy your workloads within and outside Amazon Web Services.

Automatic Key Rotation

You can choose to have Amazon KMS automatically rotate your master keys once per year without the need to re-encrypt data that was already encrypted. After rotating keys, KMS automatically saves older versions of your key material so that you can decrypt previously encrypted data.

Amazon Service Integration

The following Amazon services are integrated with Amazon KMS. These services use Amazon KMS customer master keys (CMKs) in your account to protect the data that the service receives, stores, or manages for you. Each service lets you choose a CMK that you create and manage, or a CMK that the service creates and manages on your behalf.

Amazon Athena Amazon Neptune Amazon CloudTrail
Amazon Aurora Amazon Redshift Amazon CodeBuild
Amazon DynamoDB Amazon Relational Database Service (RDS) Amazon CodeCommit
Amazon DynamoDB Accelerator (DAX) Amazon S3 Amazon Database Migration Service
Amazon EBS Amazon SageMaker Amazon Glue
Amazon EC2 Image Builder Amazon Simple Notification Service (SNS) Amazon Lambda
Amazon EFS Amazon Simple Queue Service (SQS) Amazon Secrets Manager
Amazon ElastiCache Amazon Transcribe Amazon Storage Gateway
Amazon Elasticsearch Amazon Workspaces Amazon Systems Manager
Amazon Elastic Kubernetes Service (EKS) Amazon Backup Amazon X-Ray
Amazon EMR Amazon Certificate Manager Amazon Kinesis Data Streams
Amazon Managed Streaming for Kafka (MSK) Amazon Cloud9 Amazon Kinesis Data Firehose
Amazon Kinesis Data Analytics    

Comprehensive Auditing

If you have Amazon CloudTrail enabled for your Amazon Web Services account, each request you make to Amazon KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled Amazon CloudTrail. The information recorded includes details of the user, time, date, API action and, when relevant, the key used.

Asymmetric Keys

Amazon KMS provides you the capability to create and use asymmetric CMKs and data key pairs. You can designate a CMK for use as a signing key pair or an encryption key pair. Key pair generation and asymmetric cryptographic operations using these CMKs are performed inside HSMs. You can request the public portion of the asymmetric CMK for use in your local applications, while the private portion never leaves the service.

You can also request the service to generate an asymmetric data key pair. This operation returns a plaintext copy of the public key and private key as well as a copy of the private key encrypted under a symmetric CMK that you specify. You can use the plaintext public or private key in your local application and store the encrypted copy of the private key for future use.

Standard Product Icons (Features) Squid Ink
Learn more about product pricing

See pricing examples and calculate your costs.

Learn more 
Sign up for a free account
Sign up for a free account

Instantly get access to the Amazon Free Tier. 

Sign up 
Standard Product Icons (Start Building) Squid Ink
Start building in the console

Get started building with Amazon Key Management Service in the Amazon Web Services Console.

Sign in