Toggle Nav

AWS Key Management Service (AWS KMS)

In stock
SKU:
AWS KMS
  • 24×7 remote and on-site support
  • Multi-vendor solutions & services
  • Local billing in 33+ countries
  • Competitive Price

AWS Key Management Service (AWS KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Fully managed - You control access to your encrypted data by defining permissions to use keys while AWS KMS enforces your permissions and handles the durability and physical security of your keys.

Centralized key management - AWS KMS presents a single control point to manage keys and define policies consistently across integrated AWS services and your own applications. You can easily create, import, rotate, delete, and manage permissions on keys from the AWS Management Console or by using the AWS SDK or CLI.

Manage encryption for AWS services - AWS KMS is integrated with AWS services to simplify using your keys to encrypt data across your AWS workloads. You choose the level of access control that you need, including the ability to share encrypted resources between accounts and services. KMS logs all use of keys to AWS CloudTrail to give you an independent view of who accessed your encrypted data, including AWS services using them on your behalf.

Encrypt data in your applications - AWS KMS is integrated with the AWS Encryption SDK to enable you to used KMS-protected data encryption keys to encrypt locally within your applications. Using simple APIs you can also build encryption and key management into your own applications wherever they run.

Digitally sign data - AWS KMS enables you to perform digital signing operations using asymmetric key pairs to ensure the integrity of your data. Recipients of digitally signed data can verify the signatures whether they have an AWS account or not.

Low cost - There is no commitment and no upfront charges to use AWS KMS. You only pay US $1/month to store any key that you create. AWS managed keys that are created on your behalf by AWS services are free to store. You are charged per-request when you use or manage your keys beyond the free tier.

Secure - AWS KMS uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to generate and protect keys. Your keys are only used inside these devices and can never leave them unencrypted. KMS keys are never shared outside the AWS region in which they were created.

Compliance - The security and quality controls in AWS KMS have been certified under multiple compliance schemes to simplify your own compliance obligations. AWS KMS provides the option to store your keys in single-tenant HSMs in AWS CloudHSM instances that you control.

Built-in auditing - AWS KMS is integrated with AWS CloudTrail to record all API requests, including key management actions and usage of your keys. Logging API requests helps you manage risk, meet compliance requirements and conduct forensic analysis.

How it works

 

AWS Key Management Service (KMS) gives you centralized control over the cryptographic keys used to protect your data. The service is integrated with other AWS services making it easy to encrypt data you store in these services and control access to the keys that decrypt it. AWS KMS is also integrated with AWS CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. AWS KMS enables developers to easily add encryption or digital signature functionality to their application code either directly or by using the AWS SDK. The AWS Encryption SDK supports AWS KMS as a root key provider for developers who need to encrypt/decrypt data locally within their applications.

Centralized Key Management - AWS KMS provides you with centralized control over the lifecycle and permissions of your keys. You can create new keys whenever you wish, and you can control who can manage keys separately from who can use them. As an alternative to using keys generated by AWS KMS, you can import keys from your own key management infrastructure, or use keys stored in your AWS CloudHSM cluster. You can choose automatic rotation of root keys generated in AWS KMS once per year without the need to re-encrypt previously encrypted data. The service automatically keeps older versions of the root key available to decrypt previously encrypted data. You can manage your root keys and audit their usage from the AWS Management Console or by using the AWS SDK or AWS Command Line Interface (CLI).
* The option to import keys is not available for asymmetric keys.

AWS Service Integration AWS KMS integrates with AWS services to encrypt data at rest, or to facilitate signing and verification using an AWS KMS key. To protect data at rest, integrated AWS services use envelope encryption, where a data key is used to encrypt data, and is itself encrypted under a KMS key stored in AWS KMS. For signing and verification, integrated AWS services use a key pair from an asymmetric KMS key in AWS KMS. For more details about how an integrated service uses AWS KMS, see the documentation for your AWS service.

There are two types of KMS key resources that can be created in your AWS account: (i) An AWS managed KMS key can be created automatically when needed. You can list or inventory AWS Managed KMS keys and receive a record of their use in AWS CloudTrail, but permissions for the resource are managed by the AWS service it was created to be used with. (ii) A customer managed KMS key gives you the highest degree of control over the permissions and lifecycle of the key.

AWS Services Integrated with AWS KMS
Alexa for Business[1]Amazon Fraud DetectorAmazon PersonalizeAWS CloudTrail
Amazon AppFlowAmazon FSxAmazon QLDBAWS CodeArtifact
Amazon AthenaAmazon GuardDutyAmazon RedshiftAWS CodeBuild
Amazon AuroraAmazon HealthLakeAmazon RekognitionAWS CodeCommit[1]
Amazon CloudWatch LogsAmazon InspectorAmazon Relational Database Service (RDS)AWS CodePipeline
Amazon CloudWatch SyntheticsAmazon KendraAmazon Route 53AWS Control Tower
Amazon CodeGuruAmazon Keyspaces (for Apache Cassandra)Amazon S3AWS Database Migration Service
Amazon ComprehendAmazon Kinesis Data StreamsAmazon SageMakerAWS Elastic Disaster Recovery
Amazon ConnectAmazon Kinesis FirehoseAmazon Simple Email Service (SES)AWS Elemental MediaTailor
Amazon Connect Customer ProfilesAmazon Kinesis Video StreamsAmazon Simple Notification Service (SNS)AWS Glue
Amazon Connect Voice IDAmazon LexAmazon Simple Queue Service (SQS)AWS Glue DataBrew
Amazon Connect WisdomAmazon Lightsail[1]Amazon TextractAWS IoT SiteWise
Amazon DocumentDBAmazon Location ServiceAmazon TimestreamAWS Lambda
Amazon DynamoDBAmazon Lookout for EquipmentAmazon TranscribeAWS License Manager
Amazon DynamoDB Accelerator (DAX)[1]Amazon Lookout for MetricsAmazon TranslateAWS Network Firewall
Amazon EBSAmazon Lookout for VisionAmazon WorkMailAWS Proton
Amazon EC2 Image BuilderAmazon MacieAmazon WorkSpacesAWS Secrets Manager
Amazon EFSAmazon Managed BlockchainAmazon WorkSpaces WebAWS Snowball
Amazon Elastic Container Registry (ECR)Amazon Managed Service for PrometheusAWS Audit ManagerAWS Snowball Edge
Amazon Elastic Kubernetes Service (EKS)Amazon Managed Streaming for Kafka (MSK)AWS Application Cost ProfilerAWS Snowcone
Amazon Elastic TranscoderAmazon Managed Workflows for Apache Airflow (MWAA)AWS Application Migration ServiceAWS Snowmobile
Amazon ElastiCacheAmazon MemoryDBAWS App RunnerAWS Storage Gateway
Amazon OpenSearchAmazon MonitronAWS BackupAWS Systems Manager
Amazon EMRAmazon MQAWS Certificate Manager[1]AWS X-Ray
Amazon FinSpaceAmazon NeptuneAWS Cloud9[1] 
Amazon ForecastAmazon Nimble StudioAWS CloudHSM[2] 

[1] Supports only AWS managed keys.

[2] AWS KMS supports custom key stores backed by an AWS CloudHSM cluster.

[3] For list of services integrated with AWS KMS in the AWS China (Beijing) Region, operated by Sinnet and the AWS China (Ningxia) Region, operated by NWCD, please visit AWS KMS Service integration in China.

AWS services not listed above encrypt customer data using keys owned and managed by the respective service.

Audit Capabilities - If you have AWS CloudTrail enabled for your AWS account, each request you make to AWS KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, API action and, when relevant, the key used.

Scalability, Durability, and High Availability - AWS KMS is a fully managed service. As your use of encryption grows, the service automatically scales to meet your needs. It enables you to manage thousands of KMS keys in your account and to use them whenever you want. It defines default limits for number of keys and request rates, but you can request increased limits if necessary.

The KMS keys you create or ones that are created on your behalf by other AWS services cannot be exported from the service. Therefore AWS KMS takes responsibility for their durability. To help ensure that your keys and your data is highly available, it stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.

If you import keys into the service, you maintain a secure copy of the KMS keys so that you can re-import them if they are not available when you need to use them. If you use the custom key store feature to create your KMS keys in an AWS CloudHSM cluster, encrypted copies of your keys are automatically backed up and you have full control over the recovery process.

For encrypted data or digital signature workflows that move across Regions (disaster recovery, multi-Region high availability architectures, DynamoDB Global Tables, and globally distributed consistent digital signatures), you can create KMS multi-Region keys, a set of interoperable keys with the same key material and key IDs that can be replicated into multiple Regions.
AWS KMS is designed to be a highly available service with a regional API endpoint. As most AWS services rely on it for encryption and decryption, it is architected to provide a level of availability that supports the rest of AWS and is backed by the AWS KMS Service Level Agreement.

Secure -  AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext keys from the service. The service uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to protect the confidentiality and integrity of your keys. Your plaintext keys are never written to disk and only ever used in volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. This is true regardless of whether you request AWS KMS to create keys on your behalf, import them into the service, or create them in an AWS CloudHSM cluster using the custom key store feature. Keys created by the service AWS KMS are never transmitted outside of the AWS region in which they were created and can only be used in the region in which they were created. Updates to the AWS KMS HSM firmware are controlled by multi-party access control that is audited and reviewed by an independent group within Amazon as well as a NIST accredited lab in compliance with FIPS 140-2.

Custom Key Store - AWS KMS provides the option for you to create your own key store using HSMs that you control. Each custom key store is backed by an AWS CloudHSM cluster. When you create a KMS key in a custom key store, the service generates and stores key material for the KMS key in an AWS CloudHSM cluster that you own and manage. When you use a KMS key in a custom key store, the cryptographic operations under that key are performed in your AWS CloudHSM cluster.

KMS keys stored in a custom key store are managed by you like any other KMS key and can be used with any AWS service that integrates with AWS KMS.
The use of a custom key store involves the additional cost of the AWS CloudHSM cluster and makes you responsible for the availability of the key material in that cluster. For guidance on whether custom key stores are a good fit for your requirements you can read this blog.

The Custom Key Store feature is not available in the AWS China (Beijing) Region, operated by Sinnet and the AWS China (Ningxia) Region, operated by NWCD.

Asymmetric Keys - AWS KMS provides you the capability to create and use asymmetric KMS keys and data key pairs. You can designate a KMS key for use as a signing key pair or an encryption key pair. Key pair generation and asymmetric cryptographic operations using these KMS keys are performed inside HSMs. You can request the public portion of the asymmetric KMS key for use in your local applications, while the private portion never leaves the service.
You can also request the service to generate an asymmetric data key pair. This operation returns a plaintext copy of the public key and private key as well as a copy of the private key encrypted under a symmetric KMS key that you specify. You can use the plaintext public or private key in your local application and store the encrypted copy of the private key for future use.

HMAC - You can generate and verify Hash-Based Message Authentication Code (HMACs) from within KMS’s FIPS 140-2 validated hardware security modules (HSMs). HMACs are a cryptographic building block that incorporate secret key material within a hash function to create a unique keyed message authentication code. HMAC KMS keys provide an advantage over HMACs from application software because the key material is generated and used entirely within AWS KMS, and they are subject to the access controls that you set on the key. The HMAC KMS keys and the HMAC algorithms that AWS KMS uses conform to industry standards defined in RFC 2104. HMAC KMS keys are generated in AWS KMS hardware security modules that are certified under the FIPS 140-2 Cryptographic Module Validation Program (except in China (Beijing) and China (Ningxia) Regions) and never leave AWS KMS unencrypted.

Compliance - Security and quality controls in AWS KMS have been validated and certified by the following compliance regimes:

  • AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports. You can download a copy of these reports from AWS Artifact.
  • PCI DSS Level 1. For more details on PCI DSS compliant services in AWS, you can read the PCI DSS FAQs.
  • FIPS 140-2. The AWS KMS cryptographic module is validated, or in the process of being validated, at FIPS 140-2 Level 2 overall with Level 3 for several other categories, including physical security. For more details, you can view the FIPS 140-2 certificate for AWS KMS HSM along with the associated Security Policy.
  • FedRAMP. You can get more details on AWS FedRAMP compliance at FedRAMP Compliance.
  • HIPAA. For more details, you can visit the HIPAA Compliance page.
Custom Solutions
Competative Prices
Global Logistics
24*7*365 Support