AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    AWS KMS

    Managed service for creating and controlling encryption keys

    KMS is like a high-security vault for encryption keys. Imagine you have a diary with a lock, and you need to keep the key safe. You could hide it under your mattress (risky), or you could put it in a bank vault where it's protected by guards, cameras, and alarms. KMS is that vault for your encryption keys. When you encrypt data (EBS volumes, S3 objects, RDS databases), KMS stores and manages the keys. You never see the actual key; you just tell KMS 'encrypt this' or 'decrypt that,' and KMS does it securely. KMS integrates with most AWS services, making encryption easy and automatic.

    KMS manages customer master keys (CMKs, now called KMS keys) used to encrypt data. KMS keys never leave KMS; all encryption/decryption happens within KMS's FIPS 140-2 validated hardware security modules (HSMs). You can use AWS-managed keys (free, automatic rotation), customer-managed keys (you control rotation, policies), or import your own keys. KMS supports envelope encryption: data is encrypted with a data key, and the data key is encrypted with a KMS key.

    Key Capabilities

    Key features: automatic key rotation (annual), key policies (control who can use keys), grants (temporary permissions), and CloudTrail logging (audit all key usage).

    Gotchas & Constraints

    Gotcha #1: KMS has request rate limits (5,500-30,000 requests/second depending on region); high-volume encryption can hit limits. Use data key caching or request limit increases. Gotcha #2: Deleting a KMS key is irreversible after the waiting period (7-30 days); all data encrypted with that key becomes unrecoverable. Constraints: KMS keys are regional (must replicate for multi-region), maximum 4KB data size for direct encryption (use envelope encryption for larger data), and cross-account access requires key policies and IAM policies.

    A healthcare company must encrypt all patient data per HIPAA requirements. They use KMS to create customer-managed keys for different data types: one for EBS volumes, one for S3 buckets, one for RDS databases. When they create an RDS instance, they specify the KMS key; RDS automatically encrypts data at rest. For S3, they enable default encryption with KMS, so all objects are encrypted automatically on upload. They set key policies restricting key usage to specific IAM roles; only the application role can decrypt patient data, not developers. KMS logs all key usage to CloudTrail, so they can audit who decrypted what and when. For disaster recovery, they create multi-region keys that replicate to a secondary region. When they need to share encrypted data with a partner, they use KMS grants to give temporary decrypt permissions that expire after 24 hours.

    The Result

    comprehensive encryption, centralized key management, and full audit trail for compliance.

    Official AWS Documentation