AWS KMS : Everything you Need to Know About the AWS Key Management Service

The safety of data from unauthorized access, internal or external corruption and theft, either by storing it in the cloud or on-premises is of crucial importance to a company.

Encryption is amongst the most dynamic forms of data security, protecting your data against the threat of lost or theft.  

This article discuses everything you need to know about the AWS Key Management Service (KMS).

It is one of the world’s most trending and effective data security solution offered by Amazon Web Services which is used by millions of customers, from startup companies to largest ones and major government agencies to efficiently manage their data without struggles.

What is the AWS Key Management Service?

As stated before, AWS key Management Service is an Amazon web services that was launched in 2006 in order to enable individuals, companies and government to easily create, store, delete and securely manage the cryptographic keys used to protect your data.

AWS can be used  through Identity and Access Management (IAM) by choosing the section Encryption Keys or the software in order to access the AWS KMS.

Furthermore, to define the user’s data it promotes a direct management over the encryption keys; basically the administrator will be able to audit, for what purpose, by whom and when the key was used which helps to fulfil compliance and regulatory requirement.

How does the AWS KMS work?

AWS Key Management Service is typically incorporated with other AWS CloudTrail services in the aim of conveying encryption or providing variety of services through the help of key usage logs to accomplish services including regulatory, examination, and compliance demands.

Amazon KMS Works with Amazon Web Services to encrypt data using a technique known as envelope encryption. With such a technique, KMS creates data keys that are employed to encrypted data and are themselves encrypted using your KMS main keys.

Once a user wishes to decrypt their data, Amazon asks KMS to first decrypt the data key on behalf of the user. On the other side, the service will obtain the decrypted data key from KMS from which it can decrypt data if the user is allowed to do so.

Amazon CloudTrail will log each attempted use of master keys allowing the user to see who used which master key and under which circumstances.

Are there different types of KMS keys? What is the difference between them?

The different types of KMS keys

The paramount resource of AWS KMS is the keys, their main role is encrypting, decrypting and re-encrypting. KMS basically uses three types of keys: customer managed keys, AWS managed keys, and AWS owned keys.

a. Customer managed keys (CMKs):

Customer managed keys or CMKs are KMC keys created by the user who is fully in charge of creating, deleting, owning and managing all aspects of the key.

Customer managed keys are used in cryptographic operations including encrypting, decrypting, signing, and verifying.

Additionally, many AWS services that incorporate AWS KMS let you provide a customer managed key to secure the information that is maintained and saved on their behalf.

b. AWS managed keys:

Keys created for your account and managed by an AWS service on your behalf are known as AWS managed keys.

In AWS CloudTrail logs, you can check the key policies of the AWS managed keys in your account, review their use, and view them. 

However, you are unable to rotate, manage, or modify the key policies of these KMS keys. All AWS managed keys undergo an annual automatic rotation that cannot be altered.

c. AWS owned keys:

As its name implies, AWS owned keys are a collection of KMS keys that are completely owned and managed by AWS for use in multiple AWS accounts, also, they are not under your control.

AWS owned keys cannot be viewed, managed, used, or examined. Even though your AWS account does not contain AWS proprietary keys, an AWS service can use the associated AWS owned keys to secure your account resources.

The difference between KMS keys

The major difference between KMS keys it that AWS manages the creation of keys, despite the fact that they are exclusive to your account, they provide less access control mechanisms. Unlike CMKs which provides more control and management.

What are the main features of the Amazon Key Management Service?

AWS Key Management Service allows central management over the lifecycle and permissions of the encrypted keys that are used to protect your data.

The service integrates with other AWS services, making it easier for you to encrypt the data you store in those services and control access to the keys that decrypt them, hence it has many feature we will be exploring them one by one:

Fully managed

The service is fully managed by AWS key management service, giving the user the opportunity to totally focus on the secret writing keys for the applications. Meanwhile AWS deals with the hardware maintenance of the underlying infrastructure.

Centralized management

The user can manage their secret writing keys centrally with the help of AWS KMS, which offers a single read into all the key utilization within the company.

Putting in place, keys will simply be created, rotated and imported by the user as outline usage policy and audit usage from the AWS Management Console or by using the AWS SDK or CLI.

Integrated with AWS services

In the sake of simplifying the encryption process of user’s data stored with various AWS services, Amazon KMS has been incorporated with a wide range of AWS services.

Encryption for all of the user applications

Regardless of where the user stores the data, the AWS Key Management Service makes managing the encryption keys used to encrypt it simple, without encoding data stored by the user. KMS provides an SDK software key management and cryptographic integration into user applications.

Built-in Auditing

AWS CloudTrail and Amazon KMS collaborate to provide the user with a large number of API calls made to or from KMS. These logs give information on when and by whom keys were accessed, assisting the user to satisfy compliance and regulatory requirements.


Unless the user wants further master keys, the storage of default keys in the user account is free of charge.


The user can store and use encoding keys in a secure location thanks to AWS KMS being designed with a high level of security.

 Using hardware security modules that are compatible with FIPS 140-2 whenever the user's unencrypted keys are only used in memory.  

KMS will never send keys outside of the AWS areas where they were created and they can only be used only in the areas they were created in.


Various compliance schemes validate and licence the security and quality controls in AWS KMS.

AWS Managed Key Vs. Customer Managed Key: which one is better?

It depends. In terms of security, neither one is superior to the other, so based on your requirements you can choose.  

Broadly speaking, an AWS Managed Key will be used only for security sake within the specific AWS service for which it was established. As it has fewer available access control methods when using an AWS managed key.

On the other hand, if you are about to create, disable or define access to the key, Customer Managed Key is your only option because they will provide more control and access options.

Here is a complete step by step guide to create keys using AWS KMS:

AWS KMS keys can be created via AWS Management Console, or by using the CreateKey operation or an AWS CloudFormation template.

  1. 1
    Step 1: Create a Customer Master Key (CMK)The first step is creating a CMK, if you already have a setup to use this step can be skipped.
  2. 2
    Step2: Create a data key Create new data key that returns an encryption key to use later in local data encryption, using command generate-data-key and the new CMK.

    Then, using the key-spec parameter and AES algorithm, generate a 256 bit long symmetrical encryption key.
  3. 3
    Step 3: Storing the CipherTextBlobThe next step is to extract CipherTextBlob from the base 64 decoded data key.json and save it in your respiratory system.

    When decoding, we use a base64 implementation that is provided by the OpenSSL toolkit.The meta-data in the blob refers to the CMK that was applied when the data key was created. It enables you to get the plaintext key for later decryption.
  4. 4
    Step 4: Encrypting the dataBefore proceeding with data encryption to extract the data, you should base64 decode the text key of data key.json, which we created with the CipherTextBlob in the previous step.Using AES and OpenSSL, we can finally start encrypting data.

Final thoughts

This article tackled every aspect one should know about AWS Key management services, including its main features and way of working.

The key points that you need to remember when considering the use of AWS KMS are that they are easy to use, flexible, reliable and highly secure in terms of storing and encrypting data.

About the author


Youssef is a Senior Cloud Consultant & Founder of

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Related posts