Back to Catalog
Security, Identity, & Compliance

AWS KMS (Key Management Service)

"Managed service for creating and controlling cryptographic keys."

What is AWS KMS?

AWS Key Management Service (KMS) makes it easy to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.

Key Concepts

1. Customer Managed Keys (CMK)

  • Keys that you create and manage. You control the rotation policy and who can use them.

2. AWS Managed Keys

  • Keys created by AWS services (e.g., aws/s3) on your behalf. Generally free to use, but less control.

3. Symmetric vs. Asymmetric

  • Symmetric: Same key for encryption and decryption. (Most AWS services use this).
  • Asymmetric: Public/Private key pair (RSA/ECC). Used for signing messages.

4. Envelope Encryption

  • KMS encrypts a Data Key. The Data Key encrypts your actual Massive File (1GB+).
  • KMS itself doesn't encrypt the 1GB file; it encrypts the key that protects the file.

Exam Tips

[!IMPORTANT] KMS vs CloudHSM:

  • KMS: Multi-tenant, shared hardware, lower cost, managed.
  • CloudHSM: Single-tenant, dedicated hardware, industry compliance (FIPS 140-2 Level 3), you manage the hardware.

[!NOTE] Who manages the key? If the question asks about managing encryption keys for S3/EBS/RDS, the answer is KMS.

Common Use Cases

  • EBS Encryption: Encrypting data on your virtual hard drives.
  • S3 Encryption: Encrypting objects uploaded to buckets.
  • Database Encryption: Encrypting RDS DB instances.
AWS WAF
CloudHSM
SWIPE ZONE
< DRAG ME >