セキュリティ

AWS KMS

A fully managed key management service for centrally creating, managing, and rotating encryption keys, integrated with over 100 AWS services

About 5 min read

Overview

AWS Key Management Service (KMS) is a fully managed service for securely creating, storing, and managing encryption keys used to protect your data. It integrates with over 100 AWS services including S3, EBS, RDS, DynamoDB, and Lambda, enabling data encryption with just a few clicks. KMS keys are protected by hardware security modules (HSMs), and key material never leaves the HSM boundary. It supports both symmetric keys (AES-256) and asymmetric keys (RSA, ECC), and implements defense in depth through envelope encryption, where data keys are encrypted by KMS keys. Key policies combined with IAM policies provide fine-grained control over key usage permissions, and AWS CloudTrail records a full audit trail of all key operations. The automatic key rotation feature updates key material automatically on an annual basis.

How Envelope Encryption Works and Its Benefits

KMS uses a technique called envelope encryption that separates key management from data encryption. Rather than encrypting data directly with a KMS key, you first request KMS to generate a data key via the GenerateDataKey API, which returns both a plaintext key and an encrypted copy in a single call. You then encrypt your data locally with the plaintext data key and store the encrypted data key alongside the ciphertext. To decrypt, you send the encrypted data key to KMS to obtain the plaintext data key, then use it to decrypt the data locally. This approach has two major benefits: it minimizes API calls to KMS when encrypting large volumes of data (since only the small data key travels over the network), and it keeps the KMS master key material within the HSM boundary at all times. The Encrypt and Decrypt APIs can also directly handle up to 4 KB of data for small payloads like database field encryption.

Key Policies and Permission Design

KMS key policies are the primary mechanism for controlling who can use and manage encryption keys. Unlike most AWS resources where IAM policies alone govern access, KMS requires an explicit key policy - without one, no principal can use the key, even if their IAM policy grants kms:Encrypt. A well-designed key policy separates key administrators (who can manage but not use the key) from key users (who can encrypt and decrypt but not modify the policy). The Condition element enables fine-grained restrictions such as limiting decryption to specific VPC endpoints or requiring encryption context values that tie key usage to a particular application. For cross-account access, the key policy must explicitly grant the external account's root principal, and the external account must then delegate access to specific IAM roles via IAM policies. For more on AWS KMS, related books on Amazon are also worth exploring. In contrast, Azure Key Vault manages keys, secrets, and certificates in a single service, whereas AWS splits these across KMS, Secrets Manager, and ACM respectively.

Key Rotation and Multi-Region Support

Enabling automatic key rotation generates new key material on a configurable schedule (default 365 days) while retaining all previous key material for decrypting data encrypted with older versions. This means rotation is transparent to applications - they continue using the same key ID, and KMS automatically selects the correct key material for decryption based on the ciphertext metadata. For imported key material, automatic rotation is not available, so you must implement manual rotation by creating a new key and updating key aliases. Multi-Region keys replicate the same key material across specified regions, allowing data encrypted in one region to be decrypted in another without cross-region API calls. This is particularly valuable for disaster recovery scenarios and globally distributed applications that replicate encrypted data across regions. Custom key stores backed by AWS CloudHSM clusters provide FIPS 140-2 Level 3 certified key storage for organizations with strict compliance requirements. Use CloudTrail to audit all KMS API calls and detect unauthorized key usage patterns.

共有するXB!

Related Terms

AWS IAMAmazon S3Amazon EBS

Related Services

AWS IAMAmazon S3AWS Secrets Manager

Related Articles

Why AWS API Endpoints Differ by Region - The Design of Global and Regional ServicesWe explain the design reasons behind the separation of regional endpoints like ec2.us-east-1.amazonaws.com and global endpoints like iam.amazonaws.com, as well as the existence of dual-stack and FIPS endpoints.Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Amazon.com Is AWS's Biggest Customer - How Internal Dogfooding Drives Service QualityStarting from the fact that Amazon.com's e-commerce site, Prime Video, and Alexa all run on AWS, this article explores how internal dogfooding elevates service quality and how Prime Day's traffic demands have shaped AWS's architecture.Practical Use Cases for Amazon Quick - Department-Specific Scenarios and Workflow Automation Design PatternsExplore concrete use cases for sales, IT, and finance departments, along with design patterns for notifications, approvals, and multi-step workflows using Quick Flows.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.

Similar Terms and Articles

Where Are KMS Encryption Keys Stored? - How Envelope Encryption and HSMs WorkThis article explains how KMS master keys are stored inside FIPS 140-2 certified HSMs, how envelope encryption provides double protection for data keys, and the internal workings of key rotation.AWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAWS Encryption and Data Sovereignty - Hardware-Level Isolation from KMS to Nitro EnclavesWe explain hardware-level encryption and data sovereignty assurance through AWS KMS, CloudHSM, and Nitro Enclaves, and compare design differences with other cloud providers.AWS CloudHSMA service that provides dedicated FIPS 140-2 Level 3 certified hardware security modules for generating, storing, and performing cryptographic operations with encryption keys in the cloudDedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.