AWS KMS - Key Management Service

What is AWS KMS?

AWS KMS (Key Management Service) is a managed service for central management of cryptographic keys. KMS enables creation, rotation, and control of encryption keys used to protect your data in AWS services and custom applications.

The service uses Hardware Security Modules (HSMs) with FIPS 140-2 Level 2 certification (CloudHSM offers Level 3). Private keys never leave the HSMs in plaintext. KMS integrates seamlessly with over 100 AWS services: S3, EBS, RDS, DynamoDB, Lambda, Secrets Manager, and many more.

AWS KMS is available in all AWS regions, including EU regions for GDPR compliance. The service offers 99.99% availability SLA and enables multi-region keys for global encryption without performance penalties.

How Does AWS KMS Work?

KMS is based on envelope encryption: Instead of encrypting data directly with the master key (API limit 4 KB), KMS generates Data Encryption Keys (DEKs) that encrypt your data. The DEK itself is encrypted with the KMS Master Key.

Encryption Workflow

Encryption:

1. Application calls GenerateDataKey API
2. KMS generates plaintext DEK and encrypted DEK
3. Application encrypts data with plaintext DEK (locally)
4. Application stores encrypted data + encrypted DEK
5. Plaintext DEK is deleted from memory

Decryption:

1. Application calls Decrypt API with encrypted DEK
2. KMS checks key policy and IAM permissions
3. KMS decrypts DEK with master key, returns plaintext DEK
4. Application decrypts data with plaintext DEK (locally)
5. Plaintext DEK is deleted from memory

Benefit: Unlimited data volumes can be encrypted, performance optimization through local encryption, KMS never sees your data.

Key Types

Symmetric Keys (AES-256): Standard for data encryption, highest performance, supports Encrypt/Decrypt/GenerateDataKey. 99% of all KMS keys are symmetric.

Asymmetric Keys (RSA, ECC): Public/private key pairs for Sign/Verify or Encrypt/Decrypt. Public key exportable, private key stays in KMS HSM. Use cases: digital signatures, PKI integration, cross-platform encryption.

HMAC Keys: For hash-based message authentication codes (GenerateMac, VerifyMac). Use case: API request signing, token generation.

Key Policies and Permissions

Every KMS key has a key policy (resource-based policy) that defines who can use the key. Key policy is mandatory, IAM policies are optional additions. Effective permissions are the union of both.

Best practice: Use key policy conditions for fine-grained access control:

• kms:ViaService (only via S3, RDS)
• kms:EncryptionContext (encryption context must match)
• aws:SourceVpc (only from specific VPC)
• aws:MultiFactorAuthPresent (only with MFA)

Grants are temporary, delegatable permissions for service-to-service access. AWS services like EBS, RDS automatically create grants when attaching encrypted volumes.

Typical Use Cases for AWS KMS

Encryption at Rest for AWS Services

KMS is the standard mechanism for encryption at rest in AWS. Over 100 services integrate with KMS:

S3: Bucket or object-based encryption with SSE-KMS, encryption context for audit
EBS: Encrypted volumes for EC2 instances, performance impact <5%
RDS/Aurora: Transparent database encryption (TDE), backups automatically encrypted
DynamoDB: Table encryption with KMS, no latency increase
Lambda: Environment variables, code signing
Secrets Manager: Secret encryption, automatic rotation

Benefit: Central key management, unified audit trails, compliance evidence (HIPAA, PCI DSS, GDPR).

Client-Side Encryption in Applications

Encrypt data in your application before sending it to AWS services:

S3 Client-Side Encryption: AWS Encryption SDK uses KMS for data key management
Database Field Encryption: Store sensitive columns (PII) encrypted
File Encryption: Encrypted backups, encrypted data exchange

KMS envelope encryption enables encryption of unlimited data volumes. AWS Encryption SDK handles key caching, reducing KMS API calls by up to 99%.

Compliance and Regulatory Requirements

KMS meets strict compliance requirements:

GDPR: EU region keys (Frankfurt, Ireland) for data sovereignty
HIPAA: BAA available, FIPS 140-2 certified HSMs
PCI DSS: Key management per Level 1 requirements
ISO 27001, SOC 1/2/3: AWS certifications cover KMS

CloudTrail logs all key accesses with principal, timestamp, encryption context. Audit logs for compliance evidence. Custom key stores with CloudHSM for highest isolation.

Cross-Account Encryption

KMS keys can be shared cross-account for central key management:

Central Security Account: Creates and manages KMS keys
Workload Accounts: Use keys via cross-account key policy
AWS Organizations Integration: Service control policies enforce KMS usage

Example: Security team manages production encryption keys, developer teams have read-only access for debugging. Separation of duties per NIST guidelines.

Digital Signatures and PKI

Asymmetric KMS keys (RSA, ECC) support Sign/Verify operations without private key export:

Code Signing: Sign Lambda deployment packages, container images
Document Signatures: PDF signing, digital contracts
API Authentication: JWT token signing with RS256, ES256
Blockchain: ECDSA signatures for Ethereum (secp256k1 curve)

Benefit: Private key stays in FIPS-certified hardware, never exportable. Public key downloadable for verification. CloudTrail audit for all signing operations.

Multi-Region Disaster Recovery

Multi-region keys enable global encryption/decryption with identical key IDs:

Global Replication: S3 cross-region replication with multi-region key
Disaster Recovery: Failover to another region without re-encryption
Low Latency: Local decrypt calls, no cross-region API latency

One primary key in primary region, replica keys in DR regions. Key material synchronizes automatically. On primary region failure: Promote replica to primary.

Best Practices for AWS KMS

1. Use Customer Managed Keys for Production Data

AWS Managed Keys (aws/s3, aws/rds) are simple but offer no control. For production data: Customer Managed Keys with custom key policy, rotation, CloudTrail logging.

Key policy with least privilege: Separate permissions for key administration (CreateKey, ScheduleKeyDeletion) and key usage (Encrypt, Decrypt). Different IAM principals for admin vs. usage.

2. Enable Automatic Key Rotation

Customer Managed Keys support automatic yearly rotation. KMS creates new key material, keeps old versions for decryption. Rotation is transparent to applications.

CloudTrail logs RotateKey events. AWS Config monitors rotation status. Alarm on disabled rotation for compliance.

3. Use Encryption Context for Audit

Encryption context is Additional Authenticated Data (AAD) for AES-GCM. Key-value pairs that must match during Encrypt/Decrypt:

{
  "department": "finance",
  "document": "invoice-12345"
}

Encryption context appears in CloudTrail log (unencrypted). Enables fine-grained audit trails: Which principal decrypted which document? Key policy conditions can enforce encryption context.

4. Implement Key Policy Conditions

Granular access control through key policy conditions:

kms:ViaService: Only decrypt via RDS, not directly
aws:SourceVpc/aws:SourceVpce: Only from specific VPC/VPC endpoint
aws:RequestedRegion: Only in EU regions
kms:EncryptionContext: Encryption context must contain specific keys

Prevents misuse: Even with IAM permission, key cannot be used outside allowed services/regions.

5. Use Separate Keys for Different Purposes

Key separation by data classification, service, environment:

Production vs. Development: Separate keys, different key policies
Service-specific: S3 key, RDS key, Lambda key (blast radius reduction)
Data Classification: PII key, financial data key, public data key

On key compromise, only subset of data is affected. Simpler compliance audits (only financial data key relevant for PCI DSS audit).

6. Monitor Key Usage Continuously

CloudWatch metrics for KMS API calls, latency, throttling. CloudTrail for audit (who, what, when). AWS Config for configuration changes (key policy updates, rotation status).

Alarms for unusual activity:

• DeleteKey, DisableKey, CancelKeyDeletion
• ScheduleKeyDeletion without approval
• UnusedKeys (no API calls in 90 days)
• Excessive decrypt failures (potential attack)

GuardDuty identifies KMS-related threats (anonymous API calls, unusual key access patterns).

7. Use AWS Encryption SDK for Client-Side Encryption

AWS Encryption SDK handles KMS integration, envelope encryption, key caching. Supported languages: Java, Python, JavaScript, C, CLI.

Key caching reduces KMS API calls by up to 99% through reuse of data keys. Configurable max age, max messages per data key. Encryption context automatically embedded in ciphertext.

8. Implement Key Deletion Safeguards

KMS key deletion is irreversible. Safeguards:

Waiting Period: 7-30 days between ScheduleKeyDeletion and actual deletion
CloudTrail Alert: Alarm on ScheduleKeyDeletion event
Approval Workflow: SNS notification + manual approval before CancelKeyDeletion
Deny Key Deletion: Key policy prohibits ScheduleKeyDeletion for certain principals

For unused keys: Disable instead of delete (reversible anytime). AWS Config rule: Alarm on disabled keys >90 days.

AWS KMS vs. Alternatives

When comparing key management solutions across cloud providers, different strengths emerge:

AWS KMS vs. Google Cloud KMS

Google Cloud KMS offers similar features to AWS KMS: Symmetric/asymmetric keys, automatic rotation, HSM-backed. Google uses a single global keyring, AWS uses region-specific keys (except multi-region).

AWS advantages: Larger service integration (over 100 services), more mature tooling, better BYOK support, external key store (on-premises HSM).

Google advantages: Simpler key versioning, more granular IAM (no separate key policies), cheaper API pricing at high volume.

AWS KMS vs. Azure Key Vault

Azure Key Vault combines key management, secret storage, certificate management. AWS separates KMS (keys), Secrets Manager (secrets), ACM (certificates).

AWS advantages: Clearer separation of concerns, more extensive encryption context features, better multi-region keys.

Azure advantages: All-in-one secret management, managed HSM for dedicated pools, BYOK with nShield HSMs.

When KMS vs. CloudHSM?

Choose KMS for: Standard compliance (HIPAA, PCI DSS, GDPR), multi-tenant HSM acceptable, simple management, integration with AWS services.

Choose CloudHSM for: FIPS 140-2 Level 3 required, single-tenant HSM requirement, custom crypto operations, full control over key lifecycle.

CloudHSM costs approximately $1,500/month per HSM (minimum 2 for HA), KMS Customer Managed Keys cost $1/month.

As multi-cloud experts, we provide vendor-neutral advice for the optimal solution for your requirements.

AWS KMS Integration with innFactory

As an AWS Reseller, innFactory supports you with:

Architecture Design: We design secure key management architectures with KMS. Key hierarchies, encryption context strategies, multi-region key design. Integration with IAM, CloudTrail, AWS Config for compliance.

Migration: Secure migration of existing encryption solutions to KMS. Re-encryption of data, import of your own keys (BYOK), CloudHSM migration. Zero-downtime migrations for production systems.

Security & Compliance: GDPR-compliant KMS implementation in EU regions. Key policy design per least privilege, encryption at rest for all sensitive data, audit trails with CloudTrail. Compliance evidence for HIPAA, PCI DSS, ISO 27001.

Performance Optimization: AWS Encryption SDK integration with key caching to reduce KMS API calls. Batch encryption workflows, async decrypt patterns. Monitoring with CloudWatch for throttling prevention.

Cost Optimization: Analysis of your KMS usage to identify unused keys, optimize API call patterns, data key caching. Typical savings: 20-40% on API costs.

Training & Workshops: KMS best practices, envelope encryption, key policy development, CloudHSM integration. Hands-on workshops on client-side encryption with AWS Encryption SDK.

24/7 Support: Monitoring of critical KMS events (ScheduleKeyDeletion, DisableKey). Incident response on key compromise. Proactive rotation reminders and compliance checks.

Contact us for a non-binding consultation on AWS KMS and encryption architectures on AWS.