AWS KMS のアイコン

AWS KMS Essential2014年〜

A managed encryption key service for securely creating and managing keys used to encrypt data

About 3 min read

What It Does

AWS KMS (Key Management Service) is a fully managed service for securely creating, storing, and managing encryption keys used to protect data. It integrates with many AWS services including S3, EBS, RDS, and DynamoDB, enabling data encryption with just a few clicks. It centrally manages the key lifecycle - creation, rotation, disabling, and deletion - and provides fine-grained access control through IAM policies and key policies. Keys are protected by FIPS 140-2 validated hardware security modules (HSMs).

Use Cases

Used for encrypting data at rest in S3 buckets and EBS volumes, database encryption for RDS and DynamoDB, client-side encryption of application data, generating and verifying digital signatures, and encrypting secrets stored in Secrets Manager and Parameter Store - essentially any scenario requiring data protection.

Everyday Analogy

Think of it like a key management office in an apartment building. The management office (KMS) centrally manages the keys (encryption keys) for each room (data), and only authorized residents (IAM users) can use their own room's key. Keys are periodically replaced (rotated) to minimize the risk of loss or theft. The keys themselves are stored in a safe (HSM) and cannot be taken outside.

What Is KMS?

AWS Key Management Service (KMS) is a fully managed service for managing the lifecycle of encryption keys. While encryption is fundamental to data protection, securely managing encryption keys is complex and requires specialized knowledge. KMS abstracts this complexity, making it easy to create and manage encryption keys through API calls or console operations. Keys are protected by FIPS 140-2 Level 3 certified HSMs, and no one - including AWS employees - can access the plaintext keys.

Types of Encryption Keys

KMS primarily handles two types of keys. KMS keys (formerly called CMKs) are encryption keys managed within KMS, used for generating data keys and for direct encryption/decryption. Data keys are keys encrypted by KMS keys, used for encrypting large volumes of data. This mechanism is called envelope encryption and is more efficient than encrypting data directly with KMS keys. KMS keys come in symmetric (AES-256) and asymmetric (RSA, ECC) varieties, which you choose based on your use case.

Integration with AWS Services

KMS integrates with over 100 AWS services. In S3, you can specify a KMS key for default bucket encryption, and uploaded objects are automatically encrypted. In EBS, simply enabling encryption when creating a volume protects on-disk data with a KMS key. RDS and Aurora use KMS keys for database instance encryption, and backups and snapshots are automatically encrypted as well. All these integrations work transparently, requiring no application changes. For a comprehensive view of AWS service integrations, books (Amazon) are a great reference.

Pricing

KMS pricing consists of key storage charges and API request charges. AWS managed keys are free, and customer managed keys cost $1 per key per month. API requests cost $0.03 per 10,000 requests. API request charges also apply when AWS services call KMS, but envelope encryption minimizes KMS API calls even when encrypting large volumes of data.

Things to Watch Out For

  • KMS key deletion has a 7-30 day waiting period to prevent accidental deletion. Deleting a key makes encrypted data permanently unrecoverable, so proceed with caution
  • Enabling automatic rotation for customer managed keys generates new key material once a year. Old key material is retained for decryption, so existing data is not affected
共有するXB!

Related Services

Amazon S3 iconAmazon S3A scalable object storage serviceAWS Secrets Manager iconAWS Secrets ManagerSecurely manage and automatically rotate database passwords and API keysAmazon EBS iconAmazon EBSA block storage service that attaches to EC2 instances

Related Articles

Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.Confidential Computing - Isolating and Protecting Data in Use with AWS Nitro EnclavesLearn about isolated processing of sensitive data using AWS Nitro Enclaves. Covers cryptographic attestation, KMS integration, and use cases for PII processing and encryption key management.Running MongoDB Workloads as a Managed Service with Amazon DocumentDB - Document Model and Query DesignManage document data with a MongoDB-compatible API, and achieve read scaling and disaster recovery with up to 15 read replicas and global clusters. This article also covers sharding with Elastic Clusters.Amazon EBS Encryption and Snapshot Sharing - Cross-Account and Cross-Region DesignA comprehensive guide covering default encryption setup, cross-account snapshot sharing, and cross-region copy for DR design.Hardware Security Modules - Dedicated Cryptographic Key Management with AWS CloudHSMLearn about dedicated cryptographic key management with AWS CloudHSM. Covers when to choose CloudHSM over KMS, FIPS 140-2 Level 3 compliance, TLS offloading, and Oracle TDE integration.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

AWS KMSA fully managed key management service for centrally creating, managing, and rotating encryption keys, integrated with over 100 AWS servicesWhere Are KMS Encryption Keys Stored? - How Envelope Encryption and HSMs WorkThis article explains how KMS master keys are stored inside FIPS 140-2 certified HSMs, how envelope encryption provides double protection for data keys, and the internal workings of key rotation.AWS Encryption and Data Sovereignty - Hardware-Level Isolation from KMS to Nitro EnclavesWe explain hardware-level encryption and data sovereignty assurance through AWS KMS, CloudHSM, and Nitro Enclaves, and compare design differences with other cloud providers.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.AWS CloudHSMA service that provides dedicated FIPS 140-2 Level 3 certified hardware security modules for generating, storing, and performing cryptographic operations with encryption keys in the cloud