AWS Key Management Service (KMS) Study Guide

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the cryptographic keys used to protect your data. It is integrated with most AWS services and uses Hardware Security Modules (HSMs) to protect the security of your keys.

The Real-World Analogy

Think of AWS KMS as a High-Security Hotel Vault Manager. You don’t carry the heavy gold bars (your data) to the vault every time. Instead, the manager gives you a small lockbox (Data Key) to keep in your room. When you want to lock the box, the manager uses a Master Key (KMS Key) that never leaves the front desk. You never see the Master Key; you only interact with the manager to get your box opened or closed.

Core Concepts

1. KMS Keys (formerly CMKs)

A KMS key is a logical representation of a master key. It contains metadata such as the key ID, creation date, description, and state. Crucially, the key material itself never leaves KMS in unencrypted form.

  • Symmetric Keys: 256-bit keys used for encryption and decryption. The same key is used for both. Most AWS services use symmetric keys.
  • Asymmetric Keys: Represent a mathematically related public/private key pair. Used for encryption/decryption or signing/verification. The public key can be downloaded.

2. Key Policies

Key policies are the primary way to control access to KMS keys. Unlike S3 where IAM policies are often enough, KMS keys must have a key policy. If the key policy doesn’t explicitly allow access to the root user or specific IAM roles, no one (not even the account admin) can access the key.

3. Envelope Encryption

This is a critical exam topic. To encrypt a large object, KMS generates a Data Key.

  1. KMS sends you a Plaintext Data Key and an Encrypted Data Key.
  2. You use the Plaintext Data Key to encrypt your data locally.
  3. You discard the Plaintext Data Key and store the Encrypted Data Key alongside your data.
  4. To decrypt, you send the Encrypted Data Key back to KMS to get the Plaintext version.

Comparison: Key Types & Storage

Feature AWS Managed Key Customer Managed Key AWS CloudHSM
Creation Created by AWS services Created by You Dedicated Hardware
Rotation Automatic (3 years) Optional (1 year) Manual
Visibility View only Full Control Full Control / Exclusive
Cost Free $1/month + API usage High (Hourly/Instance)
Use Case Default encryption Granular control/Compliance FIPS 140-2 Level 3

Decision Matrix / If-Then Guide

  • If you need to encrypt data larger than 4KB… Then use Envelope Encryption (GenerateDataKey API).
  • If you must satisfy FIPS 140-2 Level 3 compliance… Then use AWS CloudHSM or KMS Custom Key Store.
  • If you need to share encrypted snapshots across accounts… Then use a Customer Managed Key (AWS Managed Keys cannot be shared).
  • If you need to audit who accessed a key… Then check AWS CloudTrail logs.

Exam Tips and Gotchas

  • Regionality: KMS keys are regional. You cannot move a key from us-east-1 to us-west-2 (unless using specific Multi-Region keys, which are still distinct objects).
  • The “Root” Rule: A key policy must allow the account root user access for IAM policies to have any effect on the key.
  • Deletion: KMS keys cannot be deleted immediately. There is a mandatory waiting period (7 to 30 days).
  • Alias: Use Aliases to point your application to a new key without changing code.
  • Grants: Use “Grants” for temporary, granular permissions (often used by AWS services on your behalf).

Topics covered:

Summary of key subtopics covered in this guide:

  • Symmetric vs. Asymmetric KMS Keys
  • AWS Managed vs. Customer Managed Keys
  • Envelope Encryption Workflow (Data Keys)
  • Key Policies and IAM Integration
  • Automatic Key Rotation
  • Importing Key Material (BYOK)
  • CloudTrail Logging for KMS

AWS KMS Architecture & Ecosystem

Application GenerateDataKey AWS KMS [HSM Protected] Plain + Encrypted Key Integrated Services S3 | EBS | RDS Lambda | DynamoDB CloudTrail Log
INTEGRATIONS

Service Ecosystem

KMS is the “Security Glue” of AWS:

  • Storage: EBS volumes, S3 buckets (SSE-KMS).
  • Database: RDS, Aurora, DynamoDB encryption at rest.
  • Management: CloudTrail logs all key usage for compliance.
PERFORMANCE

Scaling & Limits

KMS scales automatically but has request quotas:

  • Quotas: Varies by region (e.g., 10,000 req/sec).
  • Caching: Use Local Encryption Caching in your SDK to reduce KMS API calls and costs.
  • Envelope: Essential for large files to avoid network bottlenecks.
COST

Cost Optimization

Control your spend:

  • AWS Managed Keys: Free to store, pay only for API requests.
  • Customer Managed: $1.00 per month per key.
  • API Calls: $0.03 per 10,000 requests.
  • Tip: Delete unused keys (after the waiting period).

Production Use Case: Multi-Account EBS Sharing

Scenario: You need to share an encrypted EBS snapshot from Account A to Account B.

Solution: You cannot use the Default AWS Managed Key. You must create a Customer Managed Key in Account A, update the Key Policy to grant kms:CreateGrant to Account B, and then share the snapshot. Account B can then create a volume from that snapshot.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top