AWS Key Management Service (KMS) is a managed service that enables you to create and control “Keys” used for cryptographic operations. AWS KMS is a key component of AWS Security.


Key Terms


Encryption is the process of encoding data using an algorithm. Encryption is performed on the data, by applying an algorithm – mostly using a parameter (known as a Key).

  • The process of decoding is called Decryption


Key is the parameter that encryption algorithms use to encode the data.


Symmetric and Asymmetric Encryption

  • In Symmetric encryption, same key is used to encrypt and decrypt the data.
  • In Asymmetric encryption, key to encrypt the data is different from the key used to decrypt the data.
    • Typically the key used to encrypt data is made publicly available by the owner
      • It’s called Public Key
      • You use Public Key of the intended recipient to encrypt data for them.
    • And, the key used to decrypt the data is only available with the intended reader – Private Key

Following illustration shows the differences:

Symmetric and Asymmetric Encryption


Customer Master Key (CMK)

CMK is the main element of KMS – is a logical representation of a master key. CMK contains:

  • Meta-data such as Key ID, Creation Date, Description, Key State
  • Key Material – secret-sauce component that is used to encrypt and decrypt data
    • Key Material may be created by KMS, by external party (such as you), or using Custom Key Store (CloudHSM)
  • KMS supports symmetric and asymmetric CMKs
  • Symmetric CMK represents 256-bit key that is used for encryption and decryption
  • Asymmetric CMK represents RSA key-pair that is used for encryption and decryption or signing and verification (but not both), or an elliptic curve (ECC) key-pair that is used for signing and verification.
  • Symmetric CMKs and the private keys of asymmetric CMKs never leave KMS unencrypted.


There are three types of CMKs:

  • Customer managed CMKs are the CMKs that you create, own, and manage.
    • You control every aspect of it.
    • There is a fee associated with customer managed CMKs
  • AWS managed CMKs are created, managed, and used on your behalf by an AWS service.
    • Exist in your Account
    • Some services only support AWS managed CMKs
    • There is no fee for AWS managed CMKs (unless used in excess)
  • AWS owned CMKs are a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts.
    • These are not specific to your Account


Data Keys – these are encryption keys that you use to encrypt your data.

  • You can use KMS CMKs to generate, encrypt, and decrypt Data Keys, but Data Keys are not stored in KMS.
  • You use and manage Data Keys outside KMS
  • Envelope encryption is when you encrypt your data with a Data Key, and stored (as CMK) securely in KMS


FIPS 140-2 – Federal Information Processing Standard Publication 140-2 (aka FIPS PUB 140-2) is a U.S. government computer security standard used to approve cryptographic modules


AWS CloudHSM is a cloud-based Hardware Security Module (HSM) that allows you to create, store and use your own encryption keys on AWS.

  • CloudHSM is implemented on FIPS 140-2 Level 3 validated hardware.
  • CloudHSM resides on single-tenant hardware, as compared to KMS – which resides on multi-tenant hardware.


Key Points

  • KMS is full managed service – there is no underlying infrastructure to be managed by you.
    • KMS leverages Hardware Security Modules (HSMs) that are FIPS 140-2 compliant.
  • KMS is highly available.
  • KMS is a Regional service – CMKs created in a Region never leave that Region.
  • KMS is well-integrated with other AWS services.
  • KMS can encrypt up to 4 KB of Data with a CMK.
  • Via CloudTrail, KMS provides you with logs of all Key usage – useful for auditing and compliance purposes.
  • You can use KMS with AWS Encryption SDK to do data encryption in your applications.
  • KMS can automatically perform rotation of master keys once per year, without the need to re-encrypt previously encrypted data.
  • KMS allows you to create your own Key Store using HSMs that you control.
    • Creation, Storage and Operations using your CMK are on CloudHSM cluster
  • KMS supports Asymmetric Keys (in select Regions).
  • KMS is compliant with PCI DSS Level 1, FIPS 140-2 (Level 2 overall, and Level 3 in some categories), FedRAMP, and HIPAA (eligible).



KMS is billed for following components:

  • CMKs – $1 per CMK per month
    • Enabling annual rotation adds $1 per CMK each year (to cover cost of previous versions which continue to exist)
  • Key Usage – per 10,000 requests
    • Price varies by request type (e.g., simple requests versus requests involving RSA 2048 keys)
    • There is a Free tier of 20,000 requests per month (cumulative across all Regions)
  • Custom Key Store – price based on underlying CloudHSM cluster infrastructure