AWS KMS is a cloud-based key management service that allows you to create and manage keys to encrypt your data. AWS KMS also enables you to rotate encryption keys automatically and audit access to your keys.
In this article, we’ll cover the most important information you need to know about AWS KMS before using it. Let’s get started!
Table of contents
Why use AWS Key Management Service?
AWS KMS is the preferable choice to encrypt any data in any AWS service at rest as it is integrated with AWS services, such as DynamoDB, S3, RDS, SSM, and others AWS services.
AWS KMS is integrated with IAM to control users’ access and services to encryption keys (authorization). Its integration with AWS CloudTrail allows you to audit this access.
Best practice: you should never store any sensitive secret information, for example, passwords or API access credentials, in plain text. Always encrypt sensitive data in the cloud with KMS. For example, you can encrypt environment variables for the AWS Lambda function.
You can use AWS KMS using the following methods:
- AWS Management Console
- AWS CLI
- AWS SDK (Boto3 KMS – Complete Tutorial)
- Infrastructure as Code (IaC) tools:
AWS KMS is a regional AWS service, so all keys created in the KMS are tied to a specific AWS region.
AWS KMS Keys
Symmetric and asymmetric keys are the keys that you’re using in AWS KMS:
Symmetric key
Symmetric KMS key uses the AES-256 encryption standard, which means that only one encryption key is used for encrypting and decrypting operations. AWS KMS stores this key privately, and no one can access this key. You must use AWS CLI or KMS APIs to use this key for encrypting and decrypting operations. Here are examples of encrypting and decrypting files using KMS and the Boto3 library.
Asymmetric keys
Asymmetric keys represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair. The key pair’s public key is used for encrypting, and the private key is used for decrypting data. A similar approach is working for the signing and signature verification processes.
When using asymmetric keys, you can download the public key but not the private key.
HMAC key
HMAC KMS key is a symmetric key of varying length used to generate and verify hash-based message authentication codes.
KMS Keys types
There are three types of keys available in AWS KMS:
AWS Managed Keys
AWS Managed Keys are AWS KMS free keys provided to you and managed by AWS. Usually, these keys are created for each service you’re using first time in AWS. For example, the AWS Managed key for encryption of AWS Lambda is called aws/lambda, for RDS encryption, you’ll see an aws/rds key, and so on. AWS automatically manages and rotates these keys for you.
Customer Managed Keys
The Customer Managed Key (CMK), previously Customer Master Key, is the key managed by the customer rather than AWS. AWS customers can create and manage their CMKs in their accounts and use these keys to encrypt and digitally sign data.
Customer Managed Keys support automatic key rotation for additional security. This feature has to be enabled during the key creation process, it sets up key rotation every year automatically, and it can not be changed afterward.
For imported CMKs, you can do only manual key rotation using the key alias.
AWS KMS Pricing
While AWS Managed Keys are free, each CMK will cost you $1/month. You can import your keys (key material) to KMS as a CMK, but only if your key is encrypted using 256-bit symmetric encryption. Additionally, you pay $0.03 per 10,000 API calls to the KMS service.
Cross-region KMS support
As soon as every KMS key is tied to the AWS region where it has been created, previously, you had to create a new KMS key in another AWS region and re-encrypt your data on the fly using the KMS key in another region. Currently, you can rely on Multi-Region KMS keys, a new capability that lets you replicate keys from one AWS region into another. With Multi-Region keys, you can move encrypted data between regions without decrypting and re-encrypt with different keys in each region.

Multi-Region KMS keys are replicated by AWS (not global) to specified regions and have the same key ID, material, and automatic rotation settings. Each Multi-Region key is managed by its policy like any other KMS key.
Note: generally speaking, it is the best practice to keep one KMS key within one AWS region, and you should consider Multi-Master KMS keys for specific cases only, e.g., encryption of DynamoDB Global Tables, Amazon Aurora Global Databases, or global client-side encryption.
Keys Policies
KMS Key Policy is a resource policy for an AWS KMS key, like an S3 Bucket Policy. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it.
There are two types of KMS Key Policies:
Default KMS Key Policy
The Default KMS Policy policy is automatically assigned to the KM Key if you did not provide your policy document. This policy grants all users in your AWS account the ability to use created key. If you’d like to restrict KMS key usage for a specific user or service in your account, you must use Custom KMS Key Policy.
Custom KMS Key Policy
To restrict access to the KMS key, you must change the default KMS policy and create a KMS Custom Key Policy. This policy defines users and roles that can access the KMS key and who can administer the key. This policy allows you to grant cross-account access to the KMS key, e.g., Replicating Encrypted S3 Objects Across AWS Accounts.
AWS Key Management best practices
AWS Key Management best practices include:
- Encrypting all data at rest using AWS KMS encryption keys.
- Using multi-factor authentication on privileged accounts and applications that use AWS KMS keys.
- Rotating access keys regularly to reduce the risk of any one key being compromised or misused.
- Enabling logging of any activity that uses the AWS KMS API so suspicious activity can be monitored and flagged quickly (AWS CloudTrail).
- Keeping track of who has access to which keys and ensuring only authorized users can access them.
- Restricting IAM user privileges to limit who can make changes to your encryption settings or create new encryption keys.
- Utilizing advanced security policies for further control over certain AWS KMS keys, for example, keys used to encrypt more sensitive data.
Free hands-on AWS workshops
To get additional hands-on experience, we recommend you the following AWS KMS workshops:
Recommended courses
The following Udemy AWS courses will help you learn more about AWS services:
FAQ
What Is KMS On AWS?
AWS KMS (Key Management Service) is a service that enables you to create and manage encryption keys in the AWS cloud. With AWS KMS, you can create, use, and destroy your keys as needed. You can also use AWS KMS to encrypt data with AES-256-bit encryption.
What Are The Three Types Of KMS Keys?
AWS Key Management Service (KMS) supports Symmetric, Asymmetric, and HMAC keys. For more information, check the article above.
What Is The Difference Between KMS And Secrets Manager?
AWS KMS is a key management service that helps you manage, protect, and use your organization’s encryption keys in the AWS cloud. Secrets Manager is a cloud-based secrets management service that helps you store, manage, and control access to your organization’s secrets encrypted by AWS KMS.
Should I Use SSE-S3 Or SSE-KMS For S3 Bucket Encryption?
Starting January 5, 2023, all new object uploads to Amazon S3 will be automatically encrypted at no additional cost and without impacting performance using Server-Side Encryption S3 (SSE-S3). You need to use Server-Side Encryption KMS (SSE-KMS) for S3 bucket encryption if you need advanced controls over who can encrypt/decrypt S3 bucket objects. Additionally, consider SSE-KMS when you need to keep an audit trail of access to your S3 bucket objects. You can read more information about SSE-S3, SSE-KMS, and SSE-C in the “AWS S3 Server Side Encryption: What it is and How it works?” post.
How to re-encrypt the KMS key?
In some scenarios, you might need to change the encryption key for your encrypted data. AWS KMS provides a ReEncrypt
operation for this purpose, allowing you to decrypt data encrypted under one key and re-encrypt it under another key. You can use the aws kms reencrypt
command with the AWS CLI or the corresponding API in AWS SDKs to perform this operation. Re-encrypting data ensures that you maintain control over your encryption keys, allowing you to manage access and adhere to compliance requirements.