AWS KMS: What It Is and When to Use It

Definition

AWS Key Management Service (AWS KMS) is a managed service for creating and controlling cryptographic keys used to protect data across AWS. It performs encryption and decryption inside FIPS 140-2 / 140-3 validated hardware security modules (HSMs) and integrates natively with more than 100 AWS services (S3, EBS, RDS, DynamoDB, Lambda, Secrets Manager, and many more). You pay a small monthly fee per customer-managed key plus a per-request charge, and the service handles high-availability, key storage, and multi-Region replication for you.

KMS is the cornerstone of AWS's encryption-at-rest story. Most services can encrypt data with a KMS key simply by selecting one at resource creation — no cryptography code required on your side.

How It Works

KMS exposes two categories of keys: symmetric (AES-256-GCM, the default and most common) and asymmetric (RSA or ECC key pairs for sign/verify or encrypt/decrypt). The primary key material of a symmetric KMS key never leaves HSMs; all encrypt/decrypt calls flow through the KMS API.

For real-world bulk data, AWS services use envelope encryption: KMS generates a data key (a plaintext AES key plus a KMS-encrypted copy), hands both to the calling service, and the service encrypts the bulk data with the plaintext data key locally, stores the encrypted data key next to the ciphertext, and discards the plaintext data key from memory. To decrypt, the service calls KMS to decrypt the encrypted data key, then uses it to decrypt the data. This avoids sending terabytes of data through the KMS API while still giving KMS full control over who can ultimately decrypt.

Key Types

• Customer managed keys (CMKs) — you create, configure, and own. You write the key policy, enable/disable, schedule deletion, and choose whether to enable automatic rotation. Visible in the KMS console. Billed $1/month each.
• AWS managed keys — created on your behalf by AWS services (e.g., aws/s3, aws/ebs). Free to use, you cannot modify their key policy, and they are unique per account per Region. Visible in the KMS console, prefixed with aws/.
• AWS owned keys — owned and used by AWS services across many accounts. Not visible in your account, not billed. Used when you don't pick a specific key (for example, DynamoDB default encryption).

Additional key kinds include multi-Region keys (a primary plus replicas with identical key material for cross-Region disaster recovery), HMAC keys (for symmetric message authentication), and external keys / XKS (key material stored in your own external HSM, with KMS as the proxy).

Key Policies and Grants

Every KMS key has a key policy — a resource-based JSON policy that is the ultimate authority over who can use the key. Unlike many services, an IAM policy alone cannot grant access; the key policy must also delegate permissions (often back to IAM by allowing kms:* on "Principal": {"AWS": "arn:aws:iam::ACCOUNT:root"}). Grants are a lightweight alternative for temporary, narrowly-scoped delegation, common in short-lived operations like snapshot copies.

Key Features and Limits

• Pricing — $1.00 per month per customer-managed CMK (prorated hourly). API requests: $0.03 per 10,000 requests (symmetric), higher for asymmetric and HMAC operations.
• Free Tier — 20,000 KMS requests per month across all Regions are free, forever. AWS managed keys are always free; you pay only for their API requests.
• Automatic rotation — symmetric CMKs support automatic annual rotation (opt-in; default 365 days, configurable 90–2,560 days as of 2023). Rotation generates new backing material and keeps older material around to decrypt historical ciphertext; the key ID and ARN stay the same.
• Key deletion — scheduled deletion has a waiting period of 7 to 30 days (default 30). Once deleted, the key is unrecoverable and all data encrypted under it is permanently lost.
• Key spec options — SYMMETRIC_DEFAULT (AES-256-GCM), RSA (2048/3072/4096), ECC (NIST P-256/P-384/P-521, SECG P-256K1), SM2 (China Regions), HMAC (224/256/384/512).
• Request rate — KMS API has per-Region request quotas (e.g., 10,000/s for cryptographic operations in commercial Regions; higher for data key operations). Quotas are raisable via Service Quotas.
• Cross-account sharing — a key policy can grant a principal in another account access; the other account's IAM policies still need to allow the calls.
• Encryption context — an optional set of key-value pairs passed to KMS that is bound to the ciphertext and logged to CloudTrail. Widely used by AWS services (e.g., S3 passes the bucket and key as context).
• CloudTrail integration — every KMS API call (including Encrypt / Decrypt / GenerateDataKey) is logged, enabling complete audit of key usage.

Common Use Cases

1. Default encryption for AWS services — S3 bucket SSE-KMS, EBS volume encryption, RDS database encryption, DynamoDB default encryption.
2. Envelope encryption in applications — call GenerateDataKey from Lambda or EC2, encrypt bulk data locally, store encrypted data + encrypted data key.
3. Secrets protection — AWS Secrets Manager encrypts every secret with a KMS key; the same pattern applies to SSM Parameter Store SecureString parameters.
4. Client-side encryption SDKs — AWS Encryption SDK, S3 Encryption Client, and DynamoDB Encryption Client use KMS as their root key provider.
5. Digital signing — use an asymmetric KMS key to sign JWTs, software artifacts, or documents without exposing the private key.
6. Disaster recovery — multi-Region keys replicate across Regions so that data encrypted in Region A can be decrypted natively in Region B after a failover.

Pricing Model

Customer-managed keys cost $1 per key per month, prorated to the hour. API requests are $0.03 per 10,000 for symmetric operations; asymmetric RSA operations cost more (on the order of $0.03 per 10,000 verify, more for sign) and HMAC operations sit between. The AWS Free Tier permanently includes 20,000 KMS requests per month. AWS managed keys (aws/service prefix) don't incur the per-key fee — you pay only for their API calls.

Multi-Region keys cost $1/month per replica. Custom Key Stores (CloudHSM-backed) add HSM cluster costs (approximately $1.45/hour per HSM). External key stores (XKS) still cost $1/key/month plus your own external HSM costs.

Pros and Cons

Pros

• Deep integration with virtually every AWS service — usually just a key selector.
• FIPS 140-2/140-3 validated HSMs and strong audit via CloudTrail on every operation.
• Simple, predictable pricing ($1/key/month) with a generous free tier for requests.
• Multi-Region keys solve cross-Region DR without rewrapping ciphertext.

Cons

• Key policy syntax is similar to IAM but has unique gotchas (you usually must explicitly delegate to IAM with Principal: root).
• Request quotas can surprise high-throughput workloads; envelope encryption and data-key caching are essential for scale.
• KMS is Region-scoped (except multi-Region keys) — cross-Region replication always re-encrypts unless you planned multi-Region from the start.
• Deleted keys are unrecoverable after the 7–30 day wait; silently orphaned ciphertext becomes permanently unreadable.

Comparison with Alternatives

| Feature | AWS KMS | AWS CloudHSM | AWS Secrets Manager | | --- | --- | --- | --- | | Primary purpose | Managed encryption keys | Dedicated single-tenant HSM cluster | Secret storage + rotation | | Tenancy | Multi-tenant HSMs | Single-tenant HSMs | Managed service (uses KMS internally) | | Pricing | $1/key-month + requests | ~$1.45/hr per HSM | $0.40/secret-month + API calls | | Custom algorithms | Limited | Full PKCS#11 control | N/A | | Best for | Default AWS encryption, app-level envelope encryption | Strict single-tenant compliance, custom crypto | DB credentials, API keys, rotation |

Exam Relevance

KMS appears across:

• Solutions Architect Associate (SAA-C03) — choosing between SSE-S3, SSE-KMS, SSE-C; encrypting EBS snapshots on copy; multi-Region keys for DR.
• Developer Associate (DVA-C02) — envelope encryption, GenerateDataKey, encryption context, encrypting data in Lambda.
• Security Specialty (SCS-C02) — deep key policy evaluation, grants, cross-account key sharing, customer vs AWS managed vs AWS owned trade-offs, automatic rotation semantics.
• Database Specialty, Data Engineer — RDS/Redshift/Aurora encryption, re-encryption of snapshots, cross-account restore.

Classic exam trap: candidates confuse automatic key rotation with re-encrypting existing ciphertext. KMS rotation keeps the key ID and ARN the same and adds new backing material for future encryptions; existing ciphertext is not re-encrypted — older backing material is retained so it can still be decrypted. If a question asks how to force re-encryption, the answer is manual rotation or re-encrypting the data, not enabling automatic rotation.

Frequently Asked Questions

Q: What is the difference between a customer-managed key, an AWS-managed key, and an AWS-owned key?

A: A customer-managed key is one you create and fully control — you write the key policy, enable or disable it, configure rotation, and pay $1/month per key. An AWS-managed key is created on your behalf by an AWS service (names like aws/s3), is free for the key itself but billed per API request, and you can't modify its key policy. An AWS-owned key belongs to AWS across many accounts, isn't visible in your account, and is free — used when you don't select a specific key (e.g., DynamoDB default encryption).

Q: What is envelope encryption, and why does KMS use it?

A: Envelope encryption encrypts data with a locally-generated data key and then encrypts that data key with a KMS key (the wrapping key). The encrypted data key is stored alongside the ciphertext. This avoids pushing terabytes of data through KMS (which is rate-limited and has a maximum 4 KB payload for direct Encrypt/Decrypt) while keeping key control centralized: to decrypt, the service calls KMS to unwrap the data key, then decrypts the bulk data locally. AWS services like S3, EBS, and RDS all use envelope encryption internally.

Q: How does automatic key rotation in KMS actually work?

A: When automatic rotation is enabled on a symmetric customer-managed key, KMS generates new backing key material on a schedule (365 days by default, configurable 90–2,560 days since 2023). The key's ID, ARN, and key policy remain unchanged, so integrations keep working. Existing ciphertext is not re-encrypted — KMS stores all prior backing material so older ciphertext can still be decrypted. To actually re-encrypt data, you must re-read and re-write it yourself or use a service-level re-encryption feature.

---

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS KMS documentation before making production decisions.