AWS Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. Master keys are created as resources in your own account and are used to control access to data encryption keys that encrypt and decrypt your data. You can create new master keys, and easily control who can use or manage them. AWS KMS is integrated with other AWS services making it easy to encrypt data you store in those services and control access to the keys that can decrypt it.
You can manage your master keys from the AWS Management Console or by using the AWS SDK or AWS Command Line Interface (CLI). AWS KMS is integrated with AWS CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS also enables developers to easily add encryption functionality to their application code either directly through encrypt and decrypt APIs or through its integration with the AWS Encryption SDK.
Government-approved Hardware Protected Keys
AWS KMS is designed so that no one, including the service operators, can retrieve plaintext master keys from the service. The service uses government-approved hardware security modules (HSMs) to protect the confidentiality and integrity of your keys. Your KMS master keys are never transmitted outside of the AWS region in which they were created and can only be used within that region.
To help ensure that your keys are never lost and that your data is always retrievable, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.
AWS KMS is designed to be a highly available service by using a redundant architecture spanning multiple availability zones in each region. As most AWS services rely on AWS KMS for their ability to encrypt and decrypt customer data, KMS is architected to provide the necessary level of availability to support the rest of AWS and is backed by the AWS KMS Service Level Agreement.
Start with a single master key and add more as you need them. With AWS KMS you can create and manage as many master keys as you need, and you can request an unlimited number of data keys for use in your local applications. We support high request rates at low latency to satisfy your workloads within and outside AWS.
Automatic Key Rotation
You can choose to have AWS KMS automatically rotate your master keys once per year without the need to re-encrypt data that was already encrypted. After rotating keys, KMS automatically saves older versions of your key material so that you can decrypt previously encrypted data.
AWS Service Integration
AWS KMS is seamlessly integrated with Amazon EBS, Amazon S3, Amazon Relational Database Service (RDS), and Amazon Aurora. You can easily use KMS master keys to automatically control the encryption of the data you store within these integrated services. The integrated services gives you the choice of either managing your own keys or authorizing the service to automatically create keys on your behalf.
If you have AWS CloudTrail enabled for your AWS account, each request you make to AWS KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, API action and, when relevant, the key used.