AWS Key Management Service (KMS)

Centralized keys, envelope encryption, and service-native encryption integrations

Key types

Type	Use case	Notes
Symmetric (AES-256)	Encrypt/decrypt data; most AWS service integrations.	Single key for encrypt and decrypt; highest performance for bulk data.
Asymmetric (RSA, ECC)	Sign/verify, or encrypt/decrypt with public/private key pair.	Common for code signing, TLS cert operations, external parties holding public keys.
HMAC	Generate and verify message authentication codes.	Used where symmetric MAC is required; KMS keeps the secret key material.

Key hierarchy (visual)

┌─────────────────────────┐ │ AWS KMS (FIPS endpoints) │ │ Customer master key (CMK) │ │ — key policy + IAM + grants │ └─────────────┬───────────────┘ │ protects ▼ ┌─────────────────────────┐ │ Data encryption key │ │ (DEK) — per object / │ │ session, short-lived │ └─────────────┬───────────────┘ │ encrypts ▼ ┌─────────────────────────────────────────────────────────┐ │ Ciphertext + encrypted DEK (blob) stored in S3 / EBS / │ │ RDS / Secrets Manager / application memory │ └─────────────────────────────────────────────────────────┘

CMKs never leave KMS in plaintext. Applications or AWS services request GenerateDataKey / Decrypt over TLS.

Envelope encryption flow

1. Client calls KMS: GenerateDataKey(KeyId=CMK) 2. KMS returns { plaintextDEK, encryptedDEK } 3. App encrypts large payload locally with plaintextDEK (AES-GCM) 4. App discards plaintextDEK from memory 5. Store: ciphertext || encryptedDEK (or service stores for you) 6. Decrypt: KMS Decrypt(encryptedDEK) → plaintextDEK → decrypt data

This limits KMS API calls, reduces latency, and keeps bulk encryption off the HSM boundary except for the small DEK wrap/unwrap.

Integration with AWS services

Service	How KMS fits
Amazon S3	SSE-KMS (per-object keys derived/wrapped with your CMK); bucket default encryption.
Amazon EBS	Volume encryption uses KMS keys; snapshots inherit encryption context.
Amazon RDS	Storage encryption at rest with a KMS key; Transparent Data Encryption workflows.
CodePipeline / CodeBuild	Encrypt artifacts (S3 SSE-KMS), credentials in Secrets Manager with KMS CMK.

Key policies

Every CMK has a key policy (resource-based). It must allow the account root (or equivalent) to administer the key. Combine with IAM policies and grants for least-privilege:

Separate admin vs usage principals.
Use encryption context in application code to bind ciphertext to intent (tenant ID, bucket, object version).
Prefer alias rotation patterns over re-encrypting everything when changing human processes.

Key rotation

Automatic key rotation (where supported) rotates backing material for customer-managed symmetric keys on a periodic schedule while preserving the same key ARN. Old material is retained for decrypting existing ciphertext.

Manual rotation: create a new CMK, re-encrypt or dual-encrypt, update aliases—needed for major lifecycle events or algorithm changes.

Best practices

Use customer-managed keys (CMKs) when you need explicit key policy control and audit trails for compliance.
Enable CloudTrail on all KMS API calls; alert on DisableKey, ScheduleKeyDeletion, and unusual Decrypt volume.
Scope IAM with condition keys (kms:EncryptionContext:*, kms:ViaService).
Avoid embedding keys in code; use IAM roles, STS, and service-linked patterns.
Test restore and DR: ensure keys in DR Region or multi-Region keys meet your RTO/RPO.