AWS KMS
AWS Key Management Service (KMS) is a managed service for creating and controlling cryptographic keys used to encrypt your data. It integrates with most AWS services to provide encryption at rest and in transit.
Key Concepts
- Customer Master Keys (CMKs): The primary resources in KMS
- Data Keys: Keys used to encrypt actual data, themselves encrypted by CMKs
- Envelope Encryption: Pattern of encrypting data with data keys, then encrypting data keys with CMKs
- Key Policies: Resource-based policies controlling access to keys
Key Types
| Type | Managed By | Use Case |
|---|---|---|
| AWS managed | AWS | Automatic encryption (S3, EBS, etc.) |
| Customer managed | You | Full control, auditing, rotation |
| Custom key stores | You | HSM-backed for compliance requirements |
How Envelope Encryption Works
- Request a data key from KMS
- KMS returns plaintext key + encrypted key
- Encrypt your data with the plaintext key
- Store the encrypted data + encrypted key
- Discard the plaintext key
This approach keeps CMKs secure in KMS while enabling efficient encryption of large datasets.
AWS Service Integration
KMS integrates with:
- S3: Server-side encryption
- DynamoDB: Encryption at rest
- RDS: Database encryption
- Lambda: Environment variable encryption
- EBS: Volume encryption
What We Like
- Simplicity: Encryption without managing HSMs
- Compliance: Supports regulatory requirements (HIPAA, PCI, SOC)
- Auditing: CloudTrail logs all key usage
- Automatic rotation: Annual key rotation for customer managed keys
What We Don't Like
- Cost per request: API calls add up at high volumes
- Regional: Keys exist in a single region (though multi-region keys now available)
- Key deletion: 7-30 day waiting period, no recovery after
Best Practices
- Use customer managed keys for sensitive data requiring audit trails
- Enable key rotation for compliance and security
- Restrict key policies using least privilege
- Separate keys by environment (dev, staging, production)