KMS Overview

  • KMS makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.

  • KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.

  • KMS is integrated with CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

  • NEVER ever store passwords or secrets in plaintext - Encrypt them.

  • You can only encrypt up to 4KB of data in a call.

    • For anything more, use envelope encryption.

  • Key policies are the primary way to control access to customer master keys (CMKs) in KMS.

    • They are not the only way to control access, but you cannot control access without them.

    • Use key policies to authorize cross-account access.

Customer Master Keys (CMKs)

  • Customer master keys are the primary resources in KMS.

  • A customer master key (CMK) is a logical representation of a master key.

  • KMS supports symmetric and asymmetric CMKs.

    • A symmetric CMK represents a 256-bit key that is used for encryption and decryption.

    • An asymmetric CMK represents an RSA key pair that is used for encryption and decryption or signing and verification (but not both), or an elliptic curve (ECC) key pair that is used for signing and verification.

  • CMKs are created in KMS.

    • You can also import key material for your keys.

  • Symmetric CMKs and the private keys of asymmetric CMKs never leave KMS unencrypted.

  • Keys generated by KMS are only stored and used in the region in which they were created.

    • They cannot be transferred to another region.

Last updated