AWS Key Management Service (AWS KMS)¶

What Is This Service?¶

Managed AWS cryptographic key management service used to create, control, and audit encryption keys.

Mental model:

AWS KMS = Generate Keys → Encrypt → Decrypt → Authorize → Audit

Primary purpose:

Provide centralized encryption and cryptographic governance across AWS services.

Typical use cases:

encryption at rest
envelope encryption
data protection
secrets protection
signing
cross-account encryption
centralized key governance

Why It Matters for Security¶

Encryption alone is not security.

Key management determines:

who can decrypt
when decryption happens
where trust exists
how access is audited

AWS KMS exists to:

centralize cryptographic control
reduce key exposure
enforce least privilege
enable encryption across AWS

Security outcomes:

confidentiality
cryptographic separation
auditability
governance

MOST TESTED:

KMS protects keys, not storage.

Architecture Example¶

Centralized Encryption Architecture¶

flowchart TD

subgraph Applications
EC2[EC2]
Lambda[Lambda]
EKS[EKS]
end

subgraph Services
S3[S3]
EBS[EBS]
RDS[RDS]
Secrets[Secrets Manager]
end

subgraph Encryption
KMS[AWS KMS]
HSM[FIPS 140-3 HSM Fleet]
end

subgraph Audit
CloudTrail[CloudTrail]
end

EC2 --> S3
Lambda --> Secrets
EKS --> RDS

S3 --> KMS
EBS --> KMS
RDS --> KMS
Secrets --> KMS

KMS --> HSM

KMS --> CloudTrail

Architecture goals:

centralized cryptography
service integration
auditability

Workflow(s)¶

Envelope Encryption¶

sequenceDiagram

participant App
participant KMS
participant DataKey
participant Storage

App->>KMS: GenerateDataKey

KMS->>App: Plaintext + Encrypted Data Key

App->>App: Encrypt data locally

App->>Storage: Store ciphertext + encrypted key

Decryption Flow¶

sequenceDiagram

participant App
participant KMS
participant Storage

App->>Storage: Retrieve encrypted data

App->>KMS: Decrypt encrypted data key

KMS->>App: Plaintext data key

App->>App: Decrypt locally

Cross-Account Encryption¶

sequenceDiagram

participant AccountA
participant KMS
participant AccountB

AccountA->>KMS: Encrypt

AccountB->>KMS: Request decrypt

KMS->>AccountB: Allow or deny

Core Concepts¶

KMS Key¶

MOST TESTED

KMS stores:

metadata
policies
lifecycle controls

KMS does NOT store:

Encrypted application data

KMS keys:

symmetric
asymmetric
HMAC

Customer Managed Keys (CMK)¶

User controlled.

Capabilities:

rotation
policies
cross-account access
deletion

Use when:

compliance
governance
audit requirements

AWS Managed Keys¶

Created automatically.

Format:

aws/service-name

Examples:

aws/s3

aws/ebs

Characteristics:

automatic
limited control

AWS Owned Keys¶

MOST TESTED

Invisible to customer.

Managed entirely by AWS.

Examples:

service internal encryption

Exam trap:

Owned Keys ≠ Managed Keys.

Envelope Encryption¶

MOST TESTED

KMS does not encrypt large datasets directly.

Process:

Generate Data Key
↓
Encrypt locally
↓
Store encrypted key

Benefits:

scalability
performance

MASSIVE EXAM TRAP:

KMS encrypts data keys.

Applications encrypt bulk data.

Data Keys¶

Generated through:

GenerateDataKey

Outputs:

plaintext key
encrypted key

Purpose:

Local encryption.

Encryption Context¶

HIGH VALUE

Additional authenticated metadata.

Example:

{
 "bucket":"prod-data"
}

Benefits:

stronger authorization
integrity validation

Exam trap:

Encryption context is not encrypted.

Important Integrations¶

Service	Purpose
Amazon S3	Object encryption
Amazon EBS	Volume encryption
Amazon RDS	Database encryption
Secrets Manager	Secret protection
CloudHSM	External key models
IAM	Authorization
CloudTrail	Audit
Lambda	Runtime encryption
Systems Manager	Parameter encryption
Organizations	Governance
CloudWatch Logs	Log encryption

Security Features¶

HSM Protection¶

MOST TESTED

KMS keys are protected using:

FIPS 140-3 validated HSMs

Benefits:

key isolation
tamper resistance
compliance

Exam trap:

Customers never access HSMs.

Automatic Rotation¶

Supported for:

symmetric CMKs

Default:

1 year

Benefits:

lower exposure
compliance

Key Policies¶

MASSIVE EXAM TRAP

Primary authorization model.

Required for access.

Example:

Allow Encrypt

Allow Decrypt

Rule:

IAM alone is not sufficient.

Grants¶

Temporary delegated access.

Common use:

EC2 → EBS

Benefits:

short-lived permissions

Imported Keys¶

Supports:

Bring Your Own Key (BYOK)

Characteristics:

import material
manual lifecycle

Exam trap:

Imported keys do not support automatic rotation.

Advanced Security and Operational Concepts¶

Control Plane vs Data Plane¶

Control Plane:

create keys
rotate
define policies

Data Plane:

encrypt
decrypt
generate data keys

Exam trap:

Heavy decrypt traffic affects KMS usage.

Authorization Model¶

MOST TESTED

Evaluation:

Key Policy
↓
IAM
↓
Grants

Rule:

No key policy → no access.

Cross-Account Access¶

Requires:

key policy
IAM permissions

Pattern:

flowchart LR

AccountA --> KMS

KMS --> AccountB

Exam trap:

Cross-account often fails because key policy missing.

Multi-Region Keys¶

HIGH VALUE

Supports:

Primary
↓
Replica

Benefits:

DR
lower latency
global applications

Exam trap:

Multi-Region keys share material.

Not independent keys.

Key Material Origins¶

Type	Material Source
AWS_KMS	Generated by AWS
EXTERNAL	Imported
CLOUDHSM	External key store

External Key Store (XKS)¶

MOST TESTED

Allows keys outside AWS.

Architecture:

flowchart LR

App --> KMS

KMS --> XKS

XKS --> ExternalHSM

Benefits:

external custody
sovereignty

Tradeoffs:

higher latency
availability dependency

KMS vs CloudHSM¶

MASSIVE EXAM TRAP

Capability	KMS	CloudHSM
Managed	Yes
Dedicated HSM	No	Yes
AWS integrations	Excellent	Limited
Envelope encryption	Yes	Manual

Rule:

Need managed encryption → KMS

Need full HSM ownership → CloudHSM

KMS vs Secrets Manager¶

Capability	KMS	Secrets Manager
Store secrets	No
Encrypt	Yes
Rotation	Keys	Secrets

Rule:

KMS protects.

Secrets Manager stores.

KMS vs S3 SSE Options¶

MOST TESTED

Capability	SSE-S3	SSE-KMS
AWS manages keys	Yes	No
Audit	Limited	Full
Key policy	No	Yes

Rule:

Need audit → SSE-KMS.

Alias¶

Aliases provide:

alias/prod-key

Benefits:

abstraction
easier rotation

Exam trap:

Alias ≠ key.

Deletion¶

Key deletion:

7–30 day waiting period

Protection:

accidental deletion prevention

MASSIVE EXAM TRAP:

Disabled keys immediately break decryption.

Cost Model¶

Primary drivers:

API requests
CMKs
custom stores

Optimization:

cache data keys
reduce decrypt calls

Exam trap:

Heavy decrypt traffic increases cost.

Comparisons¶

Service	Primary Role
KMS	Key management
CloudHSM	Dedicated HSM
Secrets Manager	Secret lifecycle
ACM	Certificates
Parameter Store	Configuration

Common Exam Traps¶

KMS protects keys, not data.
Envelope encryption is default pattern.
KMS does not encrypt large files directly.
Key policy controls access.
IAM alone is insufficient.
AWS Owned ≠ AWS Managed.
Data keys perform local encryption.
Imported keys disable rotation.
Encryption context is plaintext.
Multi-Region keys share material.
Cross-account requires key policy.
Alias is not a key.
Disable breaks decrypt immediately.
HSM access is never exposed.
XKS increases dependency.

5-Second Recall¶

KMS = centralized cryptography
Envelope encryption
Data keys encrypt data
Key policy controls access
Grants enable temporary access
Multi-Region shares material
XKS keeps keys external
KMS ≠ Secrets Manager

Quick Revision Notes¶

Centralize encryption
Use CMKs for governance
Envelope encryption scales
Key policies authorize access
Use grants for services
Multi-Region for DR
XKS for sovereignty
CloudTrail audits usage
Cache data keys
KMS protects trust boundaries