Skip to content


Key Management Service (KMS)

  • Regional & Public Service (Regions are isolated)
  • Allows to create, store & manage symmetric/assymetric keys
  • Can perform cryptographic operations (encrypt/decrypt)
  • Cryptographic keys never Leave KMS (Isolated to a region & cannot be extracted).
  • KMS provides FIPS 140-2(L2) compliance
  • KMS keys are logical containing ID,date,policy,description & state
  • Backed by physical key material that can be genreated or imported into KMS
  • KMS keys can be used for up to 4 KB of data
  • KMS provides role seperation for key generation, encryption & decryption


KMS does not need to be told which key to use for decrypt. This information is already encoded in the cipher text of the data.

Data Encryption Keys (DEKs)

  • Type of keys generated by KMS using the KMS key & the GenerateDataKey operation. This works on data > 4 KB
  • These keys are linked to the KMS key that created them
  • KMS does not store the DEK key - It provides to the user/service & then discards it
  • When a DEK Key is genreated KMS Provides a Plaintext version of the key & an Ciphertext(Encrypted) version of that key.

Key Policy & Security

  • Every KMS key has a Key policy (Type of resource policy. Eg: bucket policy)
  • KMS keys have to explicitly trust the AWS Account they are contained in (Key policy is created when creating the key)
  • To use KMS there must be Key Policies that trust the AWS Account & IAM Policies that allow users to perform operations on KMS
  • Key rotation for KMS managed keys is 1 year by default. (Off for customer managed keys)