Security, Identity, and Compliance

AWS Key Management Service (AWS KMS)

Focused AWS Solutions Architect Associate notes from the Security, Identity, and Compliance domain.

AWS Key Management Service (AWS KMS)#

AWS Key Management Service (AWS KMS) Overview#

  • Definition: AWS Key Management Service (AWS KMS) is a managed service that enables you to create, manage, and use cryptographic keys for encrypting data across AWS services and your applications. It provides secure key storage, rotation, and access control.
  • Key Features:
    • Supports symmetric and asymmetric keys, key rotation, and key policies.
    • Integrates with AWS services (e.g., S3, EBS, RDS, Lambda) for seamless encryption.
    • Offers centralized key management, auditability via CloudTrail, and compliance with standards like FIPS 140-2.
    • Supports hybrid and multi-Region use cases with key replication.
  • Use Cases: Encrypt data at rest (S3, EBS), secure API payloads, manage database encryption, comply with regulatory requirements, enable client-side encryption.
  • Key Updates (2024–2025):
    • Multi-Region Keys: Enhanced replication and latency improvements (October 2024).
    • Post-Quantum Cryptography: Support for quantum-resistant algorithms (March 2024).
    • KMS Access Analyzer: Detect unused or overly permissive keys (January 2025).
    • FIPS 140-2 Level 3: Enhanced compliance for AWS GovCloud (October 2024).

1. KMS Core Concepts#

Components#

  • KMS Key:
    • A cryptographic key (symmetric or asymmetric) used for encryption/decryption or signing/verification.
    • Stored in AWS-managed hardware security modules (HSMs).
    • Explanation: E.g., symmetric key for S3 bucket encryption.
  • Key Types:
    • Symmetric: Single key for encryption/decryption (AES-256, default).
    • Asymmetric: Key pair for encryption/signing (RSA, ECC).
    • Explanation: E.g., asymmetric RSA key for client-side encryption.
  • Key Policy:
    • JSON document defining who can use or manage the key (e.g., kms:Encrypt, kms:CreateGrant).
    • Default policy grants access to account root.
    • Explanation: E.g., policy allows Lambda role to use key.
  • Customer Managed Key (CMK):
    • Keys created and managed by you, with customizable policies and rotation.
    • Explanation: E.g., CMK for RDS encryption.
  • AWS Managed Key:
    • Keys created and managed by AWS for specific services (e.g., aws/s3).
    • No rotation control, limited policy customization.
    • Explanation: E.g., AWS managed key for default S3 encryption.
  • Key Rotation:
    • Automatically rotates symmetric CMKs annually, retaining old versions.
    • Asymmetric keys and AWS managed keys require manual rotation.
    • Explanation: E.g., rotate CMK every 365 days for compliance.
  • Grants:
    • Fine-grained permissions for specific key operations without modifying key policy.
    • Explanation: E.g., grant kms:Decrypt to EC2 instance.

Key Concepts#

  • Envelope Encryption:
    • Uses a data key (encrypted by KMS key) to encrypt data, reducing KMS calls.
    • Data key stored alongside encrypted data.
    • Explanation: E.g., S3 uses envelope encryption for object data.
  • Key Material:
    • Cryptographic material for keys, either AWS-generated or customer-imported.
    • Explanation: E.g., import key material for hybrid cloud.
  • Multi-Region Keys:
    • Replicate CMKs across Regions for low-latency and DR.
    • Same key ID, material, and policy across Regions (new 2024).
    • Explanation: E.g., replicate key from us-east-1 to eu-west-1.
  • CloudHSM Integration:
    • Use KMS custom key store with AWS CloudHSM for dedicated HSMs.
    • Explanation: E.g., CloudHSM for FIPS 140-2 Level 3 compliance.

Key Notes:#

  • Exam Relevance: Understand CMKs, key policies, rotation, envelope encryption, and multi-Region keys.
  • Mastery Tip: Compare KMS vs. CloudHSM vs. Secrets Manager for encryption scenarios.

2. KMS Performance Features#

KMS optimizes cryptographic operations.

Low Latency#

  • Purpose: Fast encryption/decryption.
  • Features:
    • Regional HSMs reduce latency for key operations.
    • Multi-Region keys improve latency for cross-Region apps (new 2024).
  • Explanation: E.g., decrypt S3 object in us-east-1 with <10 ms latency.
  • Exam Tip: Use multi-Region keys for low-latency global apps.

High Throughput#

  • Purpose: Handle high request volumes.
  • Features:
    • Scales to thousands of KMS API calls per second per Region.
    • Envelope encryption reduces KMS calls for large datasets.
  • Explanation: E.g., encrypt 1 million S3 objects with one data key.
  • Exam Tip: Highlight envelope encryption for high-throughput apps.

Scalability#

  • Purpose: Support growing workloads.
  • Features:
    • No limit on CMKs per account (subject to quotas).
    • Integrates with scalable services (e.g., S3, DynamoDB).
  • Explanation: E.g., manage 1,000 CMKs for multi-tenant app.
  • Exam Tip: Use KMS for scalable encryption.

Post-Quantum Cryptography:#

  • Purpose: Future-proof security.
  • Features:
    • Supports quantum-resistant algorithms (e.g., Kyber) (new 2024).
    • Available for specific use cases (e.g., hybrid encryption).
  • Explanation: E.g., use post-quantum key for sensitive data.
  • Exam Tip: Know post-quantum for advanced security.

Key Notes:#

  • Performance: Low-latency HSMs + envelope encryption + scalability = efficient cryptography.
  • Exam Tip: Emphasize KMS for high-throughput, scalable encryption.

3. KMS Resilience Features#

Resilience ensures reliable key management.

Regional Redundancy#

  • Purpose: Survive AZ failures.
  • Features:
    • KMS keys stored in Regional HSMs, replicated across AZs.
    • Multi-AZ by default for high availability.
  • Explanation: E.g., S3 encryption continues if us-east-1a fails.
  • Exam Tip: Highlight multi-AZ for HA.

Multi-Region Keys:#

  • Purpose: Enable cross-Region resilience.
  • Features:
    • Replicate keys across Regions with identical ID and material (new 2024).
    • Supports DR and global apps.
  • Explanation: E.g., replicate key to us-west-2 for DR.
  • Exam Tip: Use multi-Region keys for global resilience.

Key Rotation:#

  • Purpose: Mitigate key compromise.
  • Features:
    • Automatic rotation for symmetric CMKs, retains old versions.
    • No downtime during rotation.
  • Explanation: E.g., rotate key annually without app changes.
  • Exam Tip: Enable rotation for compliance.

Monitoring and Recovery:#

  • Purpose: Detect and respond to issues.
  • Features:
    • CloudTrail logs KMS API calls (e.g., Encrypt, RotateKey).
    • KMS Access Analyzer detects unused or permissive keys (new 2025).
    • Alarms for unauthorized key access.
  • Explanation: E.g., alert on unauthorized kms:Decrypt attempt.
  • Exam Tip: Use CloudTrail and Access Analyzer for resilience.

Key Notes:#

  • Resilience: Multi-AZ + multi-Region + rotation + monitoring = reliable key management.
  • Exam Tip: Design resilient encryption with multi-Region keys and CloudTrail.

4. KMS Security Features#

Security is the core focus of KMS for SAA-C03.

Access Control#

  • Key Policy:
    • Controls key usage (kms:Encrypt, kms:Decrypt) and management (kms:CreateGrant, kms:RotateKey).
    • Default grants root account full access.
    • Example: {“Effect”: “Allow”, “Principal”: {“AWS”: “arn:aws:iam::123456789012:role/LambdaRole”}, “Action”: “kms:Encrypt”, “Resource”: ”*”}.
  • IAM Integration:
    • IAM policies restrict KMS API access for users/roles.
    • Combined with key policy for fine-grained control.
    • Example: IAM policy allows kms:GenerateDataKey for S3 role.
  • Grants:
    • Delegate key usage without policy changes.
    • Revocable, time-limited permissions.
    • Explanation: E.g., grant kms:Decrypt to EC2 for 24 hours.
  • KMS Access Analyzer:
    • Detects unused or overly permissive keys (new 2025).
    • Explanation: E.g., flag key with public access.
  • Exam Tip: Practice key policies, IAM, and grants.

Encryption#

  • In Transit:
    • HTTPS for KMS API calls and key operations.
    • Explanation: E.g., secure Encrypt API call.
  • At Rest:
    • Keys stored in FIPS 140-2 validated HSMs.
    • Data encrypted with KMS keys (e.g., S3, EBS) uses AES-256.
    • Explanation: E.g., EBS volume encrypted with CMK.
  • Client-Side Encryption:
    • Encrypt data before sending to AWS using KMS keys.
    • Explanation: E.g., encrypt file with KMS key before S3 upload.
  • Exam Tip: Highlight AES-256 and client-side encryption.

Key Management#

  • Key Rotation:
    • Automatic for symmetric CMKs, manual for asymmetric.
    • Retains old key versions for decryption.
    • Explanation: E.g., rotate CMK annually for PCI compliance.
  • Key Deletion:
    • Schedule deletion (7–30 days) for recovery.
    • Explanation: E.g., schedule key deletion with 7-day waiting period.
  • Custom Key Store:
    • Use CloudHSM for dedicated HSMs.
    • Explanation: E.g., CloudHSM for FIPS 140-2 Level 3.
  • Exam Tip: Know rotation and deletion for compliance.

Compliance#

  • Certifications: HIPAA, PCI, SOC, ISO, GDPR, FIPS 140-2 Level 3 (GovCloud).
  • Explanation: E.g., use KMS for HIPAA-compliant S3 encryption.

Key Notes:#

  • Security: Key policies + IAM + HSMs + Access Analyzer = robust encryption.
  • Exam Tip: Configure key policies, rotation, and CloudHSM for secure KMS.

5. KMS Cost Optimization#

Cost efficiency is a key exam domain.

Pricing#

  • Keys:
    • $1.00/key/month (prorated, symmetric/asymmetric CMKs).
    • AWS managed keys free.
  • API Requests:
    • $0.03/10,000 requests (e.g., Encrypt, Decrypt, GenerateDataKey).
    • Free for AWS managed keys in some services (e.g., S3).
  • Custom Key Store:
    • CloudHSM: $1.45/hour (~$1,044/month).
  • Example:
    • 10 CMKs, 1 million API requests:
      • Keys: 10 × $1.00 = $10.00/month.
      • Requests: 1M × $0.03/10,000 = $3.00/month.
      • Total: $13.00/month.
    • Add CloudHSM: $1,044/month.
  • Free Tier: None.

Cost Strategies#

  • Minimize CMKs:
    • Reuse keys across services/resources where possible.
    • Explanation: E.g., one CMK for S3 and EBS.
  • Use AWS Managed Keys:
    • Free for services like S3, DynamoDB default encryption.
    • Explanation: E.g., use aws/s3 key for S3 buckets.
  • Optimize API Requests:
    • Use envelope encryption to reduce KMS calls.
    • Explanation: E.g., one GenerateDataKey for 1 TB of S3 data.
  • Avoid CloudHSM Unless Required:
    • Use standard KMS for most workloads to avoid high costs.
    • Explanation: E.g., KMS for HIPAA, CloudHSM for FIPS 140-2 Level 3.
  • Tagging:
    • Use cost allocation tags to track KMS costs.
    • Explanation: E.g., tag key with “Project:Encryption”.
  • Monitor Usage:
    • Use CloudTrail and KMS Access Analyzer to optimize key usage.
    • Explanation: E.g., delete unused CMK to save $1/month.

Key Notes:#

  • Cost Savings: Reuse keys + envelope encryption + AWS managed keys = lower costs.
  • Exam Tip: Calculate costs for CMKs and API requests.

6. KMS Advanced Features#

Multi-Region Keys:#

  • Purpose: Global encryption and DR.
  • Features:
    • Replicate keys across Regions with same ID/material (new 2024).
    • Reduces latency, simplifies multi-Region apps.
  • Explanation: E.g., use same key in us-east-1 and eu-west-1 for S3.
  • Exam Tip: Know multi-Region for global apps.

Post-Quantum Cryptography:#

  • Purpose: Future-proof encryption.
  • Features:
    • Supports quantum-resistant algorithms (e.g., Kyber) (new 2024).
    • Available for specific workloads.
  • Explanation: E.g., post-quantum key for sensitive data.
  • Exam Tip: Highlight for advanced security.

KMS Access Analyzer:#

  • Purpose: Security auditing.
  • Features:
    • Detects unused or permissive keys (new 2025).
    • Recommends least-privilege policies.
  • Explanation: E.g., flag key with overly broad kms:* permissions.
  • Exam Tip: Use Analyzer for compliance.

Custom Key Store:#

  • Purpose: Dedicated HSMs.
  • Features:
    • Integrates with CloudHSM for full key control.
    • Supports FIPS 140-2 Level 3.
  • Explanation: E.g., CloudHSM for regulatory compliance.
  • Exam Tip: Know CloudHSM for enterprise scenarios.

Grants for Scalability:#

  • Purpose: Fine-grained access.
  • Features:
    • Delegate key usage without policy changes.
    • Supports high-scale environments.
  • Explanation: E.g., grant kms:Encrypt to 1,000 EC2 instances.
  • Exam Tip: Use grants for dynamic access.

Key Notes:#

  • Flexibility: Multi-Region + post-quantum + Analyzer = advanced encryption.
  • Exam Tip: Know multi-Region keys, post-quantum, and CloudHSM for enterprise.

7. KMS Use Cases#

Understand practical applications.

Data at Rest Encryption#

  • Setup: KMS CMK for S3, EBS, RDS.
  • Features: Seamless integration, automatic encryption.
  • Explanation: E.g., encrypt S3 bucket with CMK.

Client-Side Encryption#

  • Setup: KMS key for app-level encryption.
  • Features: Encrypt data before AWS upload.
  • Explanation: E.g., encrypt file with KMS before S3 upload.

Multi-Region Applications#

  • Setup: Multi-Region key for S3, DynamoDB.
  • Features: Consistent encryption across Regions.
  • Explanation: E.g., replicate key for global app.

Compliance Requirements#

  • Setup: KMS with CloudHSM, key rotation.
  • Features: FIPS 140-2, HIPAA, PCI compliance.
  • Explanation: E.g., CloudHSM for PCI-compliant database.

8. KMS vs. Other Security Services#

FeatureKMSCloudHSMSecrets Manager
TypeKey ManagementDedicated HSMSecret Management
WorkloadEncryption, signingCustom cryptographyCredentials, secrets
Use CaseS3, EBS encryptionFIPS 140-2 Level 3Database passwords
Cost$1/key, $0.03/10K req$1.45/hour$0.40/secret/month
ManagementFully managedUser-managed HSMManaged secrets

Explanation:#

  • KMS: Managed key service for encryption/signing.
  • CloudHSM: Dedicated HSM for custom cryptography.
  • Secrets Manager: Manages credentials and secrets.

9. Detailed Explanations for Mastery#

  • Multi-Region Keys:
    • Example: Replicate key for S3 encryption in us-east-1 and eu-west-1.
    • Why It Matters: Global apps, DR—new for 2024.
  • Post-Quantum Cryptography:
    • Example: Use Kyber algorithm for sensitive data encryption.
    • Why It Matters: Future-proof security—new for 2024.
  • KMS Access Analyzer:
    • Example: Flag unused CMK with public access.
    • Why It Matters: Security auditing—new for 2025.

10. Quick Reference Table#

FeaturePurposeKey DetailExam Relevance
KMS KeyEncryption/signingSymmetric/asymmetric, HSM-storedCore Concept
Key PolicyAccess controlJSON, controls usage/managementCore Concept
Envelope EncryptionEfficient encryptionData key encrypted by KMS keyCore Concept
Multi-Region KeysGlobal encryptionReplicate keys, same ID (2024)Resilience, Performance
Post-Quantum CryptoFuture-proof securityQuantum-resistant algorithms (2024)Security
KMS Access AnalyzerSecurity auditingUnused/permissive keys (2025)Security, Resilience
Custom Key StoreDedicated HSMCloudHSM, FIPS 140-2 Level 3Security

Found an issue? Improve this note in the GitHub repo.