1. Knowledge base
  3. Amazon Web Services
  5. Amazon Key Management Service (Amazon KMS)

Amazon Key Management Service (Amazon KMS)

Amazon Key Management Service (Amazon KMS) - is a SaaS solution to create and control keys used to encrypt or digitally sign data. Service gives their clients simple and centralized control over the cryptographic keys used to protect clients data. Amazon KMS is integrated out of the box with other AWS services making it easier to encrypt data you store in these services and control access to the keys that decrypt it. Service also supports rotation of the keys. AWS KMS helps developers add encryption or digital signature functionality to their application code. The AWS Encryption SDK has AWS KMS as an encryption key provider for developers who need to encrypt/decrypt almost any locally within their applications.

Key definitions for Amazon Key Management Service (Amazon KMS):

  • Audit Trail Assurance

    AWS CloudTrail enhances the security and compliance of Amazon KMS by providing a complete audit log for each request made to the service. This allows for detailed tracking and analysis of how and when KMS keys are accessed, offering transparency and aiding in forensic investigations.

  • Flexible Key Storage Options

    Amazon KMS offers the versatility of using custom key stores, such as AWS CloudHSM or an external key store (XKS), to house encryption keys. This flexibility allows organizations to choose their key management infrastructure while still leveraging the robustness of KMS for key management.

  • Unmatched Durability

    With a durability uptime of 99.999999999%, AWS KMS ensures that the keys used for encryption are highly available, providing peace of mind that the cryptographic infrastructure is reliable and resilient against data loss.

  • Asymmetric Cryptography

    AWS KMS supports asymmetric key pairs, providing the option for public-key cryptography. However, when using asymmetric keys, clients are restricted from using custom storages such as CloudHSM for key housing, ensuring that these keys are exclusively managed within the AWS KMS environment.

  • HMAC Key and Algorithm Standards

    AWS KMS supports symmetric keys, including HMAC KMS keys, and complies with industry standards for HMAC algorithms as defined in RFC 2104. This standardization assures that the cryptographic operations performed by KMS are secure and recognized across the industry.

  • Compliance Readiness

    Amazon KMS is certified under several compliance frameworks, including SOC 1, SOC 2, and SOC 3, PCI DSS Level 1, FIPS 140-2, FedRAMP, and HIPAA. These certifications validate that KMS adheres to stringent security controls, making it suitable for organizations that require high levels of compliance.

  • Compliance Readiness

    For enhanced disaster recovery and high availability across different geographical areas, AWS KMS allows the creation of multi-Region keys. These keys facilitate the development of robust multi-Region high availability architectures, ensuring that encryption services remain operational even in the event of a regional disruption.

  • Accessible via

    • AWS Management Console
    • AWS SDK
    • AWS Command Line Interface (CLI)

Service integrates with:

Usage use cases

  • Data Security in Applications.

    Amazon Key Management Service (KMS) can be utilized within applications to encrypt sensitive data before it is stored and decrypt it when it is accessed. This use case is crucial for maintaining the confidentiality and integrity of data, especially when dealing with personal information or proprietary business details.

  • Database Protection.

    When using Amazon Relational Database Service (RDS), KMS serves as a key provider to encrypt databases at rest. This ensures that all data stored within an RDS instance is encrypted using keys managed in KMS, providing an additional layer of security and meeting compliance requirements for data protection.

  • Authenticity and Integrity.

    KMS can also be used to digitally sign data within applications. This establishes the authenticity of the data source and maintains the integrity of the data as it ensures that any alterations made after the signature are detectable, thus preventing tampering and unauthorized modifications.

  • Secure Storage on AWS S3.

    For objects stored in AWS S3 buckets, KMS can act as the key provider for server-side encryption. This allows data uploaded to S3 to be automatically encrypted with keys managed and protected by KMS, simplifying the process of securing data at rest in cloud storage and managing encryption keys.

FAQ for Amazon Key Management Service (Amazon KMS)

  • For what purpose can this service be used?

    This service can be used for creation and control of cryptographic keys used to encrypt or digitally sign data.

  • How to control and log all actions with KMS keys and path audit or certification?

    You can enable AWS CloudTrail for AWS KMS and get logs for actions with each key in the service.

  • What type of keys service supports?

    AWS KMS supports symmetric, like HMAC keys and asymmetric key pairs.

  • What durability uptime is provided by service?

    AWS KMS provide 99.999999999% durability uptime.