AWS Key Management Service (KMS) is a cloud-based key management service that allows you to create and manage keys to encrypt your data. AWS KMS also enables you to rotate encryption keys automatically and audit access to your keys.

In this article, we’ll cover the most important information you need to know about AWS KMS before using it. Let’s get started!

Why use AWS Key Management Service?

AWS KMS is the preferable choice to encrypt any data in any AWS service at rest as it is integrated with AWS services, such as DynamoDB, S3, RDS, SSM, and others AWS services.

AWS KMS is integrated with IAM to control users’ access and services to encryption keys (authorization). Its integration with AWS CloudTrail allows you to audit this access.

Best practice: you should never store any sensitive secret information, for example, passwords or API access credentials, in plain text. Always encrypt sensitive data in the cloud with KMS. For example, you can encrypt environment variables for the AWS Lambda function.

You can use AWS KMS using the following methods:

AWS KMS is a regional AWS service, so all keys created in the KMS are tied to a specific AWS region.

AWS KMS Keys

Symmetric and asymmetric keys are the keys that you’re using in AWS KMS:

Symmetric key

Symmetric KMS key uses the AES-256 encryption standard, which means that only one encryption key is used for encrypting and decrypting operations. AWS KMS stores this key privately, and no one can access this key. You must use AWS CLI or KMS APIs to use this key for encrypting and decrypting operations. Here are examples of encrypting and decrypting files using KMS and the Boto3 library.

Asymmetric keys

Asymmetric keys represent a mathematically related RSA, elliptic curve (ECC), or SM2 (China Regions only) public and private key pair. The key pair’s public key is used for encrypting, and the private key is used for decrypting data. A similar approach is working for the signing and signature verification processes.

When using asymmetric keys, you can download the public key but not the private key.

HMAC key

HMAC KMS key is a symmetric key of varying length used to generate and verify hash-based message authentication codes.

KMS Keys types

There are three types of keys available in AWS KMS:

AWS Managed Keys

AWS Managed Keys are AWS KMS free keys provided to you and managed by AWS. Usually, these keys are created for each service you’re using first time in AWS. For example, the AWS Managed key for encryption of AWS Lambda is called aws/lambda, for RDS encryption, you’ll see an aws/rds key, and so on. AWS automatically manages and rotates these keys for you.

Customer Managed Keys

The Customer Managed Key (CMK), previously Customer Master Key, is the key managed by the customer rather than AWS. AWS customers can create and manage their CMKs in their accounts and use these keys to encrypt and digitally sign data.

Customer Managed Keys support automatic key rotation for additional security. This feature has to be enabled during the key creation process, it sets up key rotation every year automatically, and it can not be changed afterward.

For imported CMKs, you can do only manual key rotation using the key alias.

AWS KMS Pricing

While AWS Managed Keys are free, each CMK will cost you $1/month. You can import your keys (key material) to KMS as a CMK, but only if your key is encrypted using 256-bit symmetric encryption. Additionally, you pay $0.03 per 10,000 API calls to the KMS service.

Cross-region KMS support

As soon as every KMS key is tied to the AWS region where it has been created, previously, you had to create a new KMS key in another AWS region and re-encrypt your data on the fly using the KMS key in another region. Currently, you can rely on Multi-Region KMS keys, a new capability that lets you replicate keys from one AWS region into another. With Multi-Region keys, you can move encrypted data between regions without decrypting and re-encrypt with different keys in each region.

Multi-region KMS keys

Multi-Region KMS keys are replicated by AWS (not global) to specified regions and have the same key ID, material, and automatic rotation settings. Each Multi-Region key is managed by its policy like any other KMS key.

Note: generally speaking, it is the best practice to keep one KMS key within one AWS region, and you should consider Multi-Master KMS keys for specific cases only, e.g., encryption of DynamoDB Global Tables, Amazon Aurora Global Databases, or global client-side encryption.

Keys Policies

KMS Key Policy is a resource policy for an AWS KMS key, like an S3 Bucket Policy. Key policies are the primary way to control access to KMS keys. Every KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the KMS key and how they can use it.

There are two types of KMS Key Policies:

Default KMS Key Policy

The Default KMS Policy policy is automatically assigned to the KM Key if you did not provide your policy document. This policy grants all users in your AWS account the ability to use created key. If you’d like to restrict KMS key usage for a specific user or service in your account, you must use Custom KMS Key Policy.

Custom KMS Key Policy

To restrict access to the KMS key, you must change the default KMS policy and create a KMS Custom Key Policy. This policy defines users and roles that can access the KMS key and who can administer the key. This policy allows you to grant cross-account access to the KMS key, e.g., Replicating Encrypted S3 Objects Across AWS Accounts.

AWS Key Management best practices

AWS Key Management best practices include:

  1. Encrypting all data at rest using AWS KMS encryption keys.
  2. Using multi-factor authentication on privileged accounts and applications that use AWS KMS keys.
  3. Rotating access keys regularly to reduce the risk of any one key being compromised or misused.
  4. Enabling logging of any activity that uses the AWS KMS API so suspicious activity can be monitored and flagged quickly (AWS CloudTrail).
  5. Keeping track of who has access to which keys and ensuring only authorized users can access them.
  6. Restricting IAM user privileges to limit who can make changes to your encryption settings or create new encryption keys.
  7. Utilizing advanced security policies for further control over certain AWS KMS keys, for example, keys used to encrypt more sensitive data.

Free hands-on AWS workshops

To get additional hands-on experience, we recommend you the following AWS KMS workshops: