Skip to content
Gallery
14. Security in the Cloud
AWS Directory Service
Identity Providers and Federation
Encryption Primer
AWS Key Management Service
AWS Certificate Manager
AWS Security Hub
AWS Web Application Firewall (WAF)
AWS Shield and Shield Advanced
Amazon Inspector
Amazon Macie
Amazon GuardDuty
AWS Audit Manager
More
Share
Explore

icon picker
AWS Key Management Service

AWS CloudHSM
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data. AWS KMS uses hardware security modules (HSM) to protect and validate your AWS KMS keys under the
FIPS 140-2 Cryptographic Module Validation Program
. China (Beijing) and China (Ningxia) Regions do not support the FIPS 140-2 Cryptographic Module Validation Program. AWS KMS uses
OSCCA
certified HSMs to protect KMS keys in China Regions.
AWS KMS integrates with most
other AWS services
that encrypt your data. AWS KMS also integrates with
AWS CloudTrail
to log use of your KMS keys for auditing, regulatory, and compliance needs.

AWS KMS keys

AWS KMS keys (KMS keys) are the primary resource in AWS KMS. You can use a KMS key to encrypt, decrypt, and re-encrypt data. It can also generate data keys that you can use outside of AWS KMS. Typically, you'll use
symmetric encryption KMS keys
, but you can create and use
asymmetric KMS keys
for encryption or signing, and create and use
HMAC
KMS keys to generate and verify HMAC tags.
info
Note
AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term.
An AWS KMS key is a logical representation of a cryptographic key. A KMS key contains metadata, such as the key ID,
key spec
,
key usage
, creation date, description, and
key state
. Most importantly, it contains a reference to the
key material
that is used when you perform cryptographic operations with the KMS key.
Key material is the string of bits used in a cryptographic algorithm. Secret key material must be kept secret to protect the cryptographic operations that use it. Public key material is designed to be shared.

Customer keys and AWS keys

The KMS keys that you create are
customer managed keys
. AWS services that use KMS keys to encrypt your service resources often create keys for you. KMS keys that AWS services create in your AWS account are
AWS managed keys
. KMS keys that AWS services create in a service account are
AWS owned keys
.
image.png

Customer managed keys

The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their
key policies, IAM policies, and grants
,
enabling and disabling
them,
rotating their cryptographic material
,
adding tags
,
creating aliases
that refer to the KMS keys, and
scheduling the KMS keys for deletion
.
Customer managed keys appear on the Customer managed keys page of the AWS Management Console for AWS KMS. To definitively identify a customer managed key, use the
DescribeKey
operation. For customer managed keys, the value of the KeyManager field of the DescribeKey response is CUSTOMER.
You can use your customer managed key in cryptographic operations and audit usage in AWS CloudTrail logs. In addition, many
AWS services that integrate with AWS KMS
let you specify a customer managed key to protect the data stored and managed for you.
Customer managed keys incur a monthly fee and a fee for use in excess of the free tier. They are counted against the AWS KMS
quotas
for your account.

AWS managed keys

AWS managed keys are KMS keys in your account that are created, managed, and used on your behalf by an
AWS service integrated with AWS KMS
.
Some AWS services let you choose an AWS managed key or a customer managed key to protect your resources in that service. In general, unless you are required to control the encryption key that protects your resources, an AWS managed key is a good choice. You don't have to create or maintain the key or its key policy, and there's never a monthly fee for an AWS managed key.
You have permission to
view the AWS managed keys
in your account,
view their key policies
, and
audit their use
in AWS CloudTrail logs. However, you cannot change any properties of AWS managed keys, rotate them, change their key policies, or schedule them for deletion. And, you cannot use AWS managed keys in cryptographic operations directly; the service that creates them uses them on your behalf.
AWS managed keys appear on the AWS managed keys page of the AWS Management Console for AWS KMS. You can also identify AWS managed keys by their aliases, which have the format aws/service-name, such as aws/redshift. To definitively identify an AWS managed keys, use the
DescribeKey
operation. For AWS managed keys, the value of the KeyManager field of the DescribeKey response is AWS.
All AWS managed keys are automatically rotated every year. You cannot change this rotation schedule.
image.png
Customer vs AWS keys
Type of KMS key
Can view KMS key metadata
Can manage KMS key
Used only for my AWS account
Automatic rotation
Pricing
1
Customer managed key
Yes
Yes
Yes
Optional. Every year (approximately 365 days)
Monthly fee (pro-rated hourly) Per-use fee
2
AWS managed key
Yes
No
Yes
Required. Every year (approximately 365 days)
No monthly fee Per-use fee (some AWS services pay this fee for you)
3
AWS owned key
No
No
No
Varies
No fees
There are no rows in this table

Custom key stores

A key store is a secure location for storing cryptographic keys. The default key store in AWS KMS also supports methods for generating and managing the keys that it stores. By default, the cryptographic key material for the AWS KMS keys that you create in AWS KMS is generated in and protected by hardware security modules (HSMs) that are
FIPS 140-2 validated cryptographic modules
. Key material for your KMS keys never leave the HSMs unencrypted.
However, if you require even more control of the HSMs, you can create a custom key store.
A custom key store is a logical key store within AWS KMS that is backed by a key manager outside of AWS KMS that you own and manage. Custom key stores combine the convenient and comprehensive key management interface of AWS KMS with the ability to own and control the key material and cryptographic operations. When you use a KMS key in a custom key store, the cryptographic operations are performed by your key manager using your cryptographic keys. As a result, you assume more responsibility for the availability and durability of cryptographic keys, and for the operation of the HSMs.
AWS KMS supports two types of custom key stores.
An
AWS CloudHSM key store
is an AWS KMS custom key store backed by an AWS CloudHSM cluster. When you create a KMS key in your AWS CloudHSM key store, AWS KMS generates a 256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric key in the associated AWS CloudHSM cluster. This key material never leaves your AWS CloudHSM clusters unencrypted. When you use a KMS key in AWS CloudHSM key store, the cryptographic operations are performed in the HSMs in the cluster. AWS CloudHSM clusters are backed by hardware security modules (HSMs) certified at
FIPS 140-2 Level 3
.
An
external key store
is an AWS KMS custom key store backed by an external key manager outside of AWS that you own and control. When you use a KMS key in your external key store, all encryption and decryption operations are performed by your external key manager using your cryptographic keys. External key stores are designed to support a variety of external key managers from different vendors.
AWS KMS never directly views, accesses, or interacts with your external key manager or cryptographic keys. When you encrypt or decrypt with a KMS key in an external key store, the operation is performed by your external key manager using your external keys. You retain full control over your cryptographic keys, including the ability to refuse or halt a cryptographic operation without interacting with AWS. However, due to distance and extra processing, KMS keys in an external key store might have poorer latency and performance, and might have different availability characteristics than KMS keys with key material in AWS KMS. For more information about key managers compatible with the AWS KMS external key store feature, see
Which external vendors support the XKS Proxy specification? 
in the AWS Key Management Service FAQs.



Loading
docs.aws.amazon.com
AWS KMS keys
Customer keys and AWS keys
Customer managed keys
AWS managed keys
Customer vs AWS keys
Custom key stores
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.