Posted On: May 8, 2023

Amazon Key Management Service (Amazon KMS) lets you create KMS keys that can be used to generate and verify Hash-Based Message Authentication Code (HMACs). HMACs are a powerful cryptographic building block that incorporates secret key material within a hash function to create a unique keyed message authentication code. HMAC KMS keys can only be generated and used within government-approved hardware security modules (HSMs). This architecture can minimize the risk of these secret keys being compromised, in contrast to using plaintext HMAC keys in local application software.

HMACs can provide a fast way to tokenize or sign data such as web API requests, credit card numbers, bank routing information, or personally identifiable information (PII). Because HMACs utilize symmetric cryptography, they are typically higher performance than signing algorithms that use asymmetric cryptography like RSA or ECC. HMACs are commonly used in several Internet standards and communication protocols such as JSON Web Tokens (JWT). The KMS keys and the HMAC algorithms in Amazon KMS conform to industry standards defined in RFC 2104. As with any other type of KMS key, you can control who is allowed to perform HMAC functions under which conditions by defining KMS key and/or IAM policies.

The KMS HMAC API is available in Amazon Web Services China (Beijing) Region, operated by Sinnet, and in Amazon Web Services China (Ningxia) Region, operated by NWCD. Please see the Amazon KMS Developer Guide for overview of the new HMAC feature.