AWS Key Management Service provides you with centralized control of your encryption keys. You can easily create, import, and rotate keys as well as define usage policies and audit usage from the AWS Management Console or by using the AWS SDK or CLI. The master keys in KMS, whether imported by you or created on your behalf by KMS, are stored in highly durable storage in an encrypted format to help ensure that they can be retrieved when needed. You can choose to have KMS automatically rotate master keys created in KMS once per year without the need to re-encrypt data that has already been encrypted with your master key. You don’t need to keep track of older versions of your master keys as KMS keeps them available to decrypt previously encrypted data. You can create new master keys, and control who has access to those keys and which services they can be used with whenever you wish. You can also import keys from your own key management infrastructure and use them in KMS.
AWS Key Management Service is seamlessly integrated with most other AWS services. This integration means that you can easily use AWS KMS master keys to encrypt the data you store with these services. You can use a default master key that is created for you automatically and usable only within the integrated service, or you can select a custom master key that you either created in KMS or imported from your own key management infrastructure and have permission to use.
*Supports only AWS managed KMS keys.
AWS KMS is also integrated into the AWS SDK, the AWS Command Line Interface (CLI), and provides a RESTful API. When you use these interfaces to encrypt or decrypt data, encryption or decryption operations will happen automatically—you just select which KMS master key to use. In addition, KMS is integrated with AWS CloudFormation to let you quickly create keys in KMS using the CloudFormation template for KMS.
If you have AWS CloudTrail enabled for your AWS account, each use of a key that you store in KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled AWS CloudTrail. The information recorded includes details of the user, time, date, and the key used.
AWS Key Management Service is a managed service. As your usage of AWS KMS encryption keys grows, you do not have to buy additional key management infrastructure. AWS KMS automatically scales to meet your encryption key needs.
The master keys created on your behalf by AWS KMS or imported by you cannot be exported from the service. AWS KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability to help assure you that your keys will be available when you need to access them. If you import keys into KMS, you must securely maintain a copy of your keys so that you can re-import them at any time.
AWS KMS is deployed in multiple availability zones within an AWS region to provide high availability for your encryption keys.
AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext keys from the service. The service uses FIPS 140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of your keys regardless of whether you request KMS to create keys on your behalf or you import them into the service. Your plaintext keys are never written to disk and only ever used in volatile memory of the HSMs for the time needed to perform your requested cryptographic operation. KMS keys are never transmitted outside of the AWS regions in which they were created. Updates to the KMS HSM firmware is controlled by multi-party access control that is audited and reviewed by an independent group within Amazon.
To learn more about how AWS KMS works you can read the AWS Key Management Service whitepaper.
Security and quality controls in AWS KMS have been validated and certified by the following compliance schemes:
- AWS Service Organization Controls (SOC 1, SOC 2, and SOC 3) Reports. You can download a copy of these reports from AWS Artifact.
- PCI DSS Level 1. For more details on PCI DSS compliant services in AWS, you can read the PCI DSS FAQs.
- ISO 27001. For more details on ISO 27001 compliant services in AWS, you can read the ISO 27001 FAQs.
- ISO 27017. For more details on ISO 27017 compliant services in AWS, you can read the ISO-27017 FAQs.
- ISO 27018. For more details on ISO 27018 compliant services in AWS, you can read the ISO-27018 FAQs.
- ISO 9001. For more details on ISO 9001 compliant services in AWS, you can read the ISO-9001 FAQs.
- Cryptographic module running firmware version 1.4.3 is validated at FIPS 140-2 Level 2 overall with Level 3 for several other categories, including physical security. For more details, you can view the FIPS 140-2 certificate for AWS KMS HSM along with the associated Security Policy.
- FedRAMP. You can get more details on AWS FedRAMP compliance at FedRAMP Compliance.
- HIPAA-eligible. For more details, you can visit the HIPAA Compliance page.
