AWS Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. Master keys are created as resources in your own account and are used to control access to data encryption keys that encrypt and decrypt your data. You can create new master keys, and easily control who can use or manage them. AWS KMS is integrated with other AWS services making it easy to encrypt data you store in those services and control access to the keys that can decrypt it.
You can manage your master keys from the AWS Management Console or by using the AWS SDK or AWS Command Line Interface (CLI). AWS KMS is integrated with AWS CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS also enables developers to easily add encryption functionality to their application code either directly through encrypt and decrypt APIs or through its integration with the AWS Encryption SDK.
Government-approved Hardware Protected Keys
AWS KMS is designed so that no one, including the service operators, can retrieve plaintext master keys from the service. The service uses government-approved hardware security modules (HSMs) to protect the confidentiality and integrity of your keys. Your KMS master keys are never transmitted outside of the AWS region in which they were created and can only be used within that region.
To help ensure that your keys are never lost and that your data is always retrievable, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.
AWS KMS is designed to be a highly available service by using a redundant architecture spanning multiple availability zones in each region. As most AWS services rely on AWS KMS for their ability to encrypt and decrypt customer data, KMS is architected to provide the necessary level of availability to support the rest of AWS and is backed by the AWS KMS Service Level Agreement.
Start with a single master key and add more as you need them. With AWS KMS you can create and manage as many master keys as you need, and you can request an unlimited number of data keys for use in your local applications. We support high request rates at low latency to satisfy your workloads within and outside AWS.
Automatic Key Rotation
You can choose to have AWS KMS automatically rotate your master keys once per year without the need to re-encrypt data that was already encrypted. After rotating keys, KMS automatically saves older versions of your key material so that you can decrypt previously encrypted data.
AWS Service Integration
The following AWS services are integrated with AWS KMS. These services use AWS KMS customer master keys (CMKs) in your account to protect the data that the service receives, stores, or manages for you. Each service lets you choose a CMK that you create and manage, or a CMK that the service creates and manages on your behalf.
|Amazon Athena||Amazon Neptune||AWS CloudTrail|
|Amazon Aurora||Amazon Redshift||AWS CodeBuild|
|Amazon DynamoDB||Amazon Relational Database Service (RDS)||AWS CodeCommit|
|Amazon DynamoDB Accelerator (DAX)||Amazon S3||AWS Database Migration Service|
|Amazon EBS||Amazon SageMaker||AWS Glue|
|Amazon EC2 Image Builder||Amazon Simple Notification Service (SNS)||AWS Lambda|
|Amazon EFS||Amazon Simple Queue Service (SQS)||AWS Secrets Manager|
|Amazon ElastiCache||Amazon Transcribe||AWS Storage Gateway|
|Amazon Elasticsearch||Amazon Workspaces||AWS Systems Manager|
|Amazon Elastic Kubernetes Service (EKS)||AWS Backup||AWS X-Ray|
|Amazon EMR||AWS Certificate Manager|
|Amazon Managed Streaming for Kafka (MSK)||AWS Cloud9|
If you have AWS CloudTrail enabled for your AWS account, each request you make to AWS KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, API action and, when relevant, the key used.