AWS Key Management Service (KMS)
Easily create and control the keys to encrypt or digitally sign your data.
AWS Key Management Service (KMS) makes it easy to create and manage cryptographic keys and control their use across a wide range of AWS services and your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2 or are in the process of being validated to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
Fully managed
You control access to your encrypted data by defining permissions to use keys, while AWS KMS enforces your permissions and handles your keys’ durability and physical security.
Centralized key management
AWS KMS presents a single control point to manage keys and define policies consistently across integrated AWS services and your applications. You can easily create, import, rotate, delete, and execute permissions on legends from the AWS Management Console or by using the AWS SDK or CLI.
Manage encryption for AWS services.
AWS KMS is integrated with AWS services to simplify using your keys to encrypt data across your AWS workloads. You choose the level of access control you need, including sharing encrypted resources between accounts and services. KMS logs all use of keys to AWS CloudTrail to give you an independent view of who accessed your encrypted data, including AWS services using them on your behalf.
Encrypt data in your applications
AWS KMS is integrated with the AWS Encryption SDK to enable you to use KMS-protected data encryption keys to encrypt locally within your applications. Using simple APIs, you can also build encryption and critical management into your applications wherever they run.
Digitally sign data
AWS KMS enables you to perform digital signing operations using asymmetric key pairs to ensure the integrity of your data. Recipients of digitally signed data can verify the signatures whether they have an AWS account or not.
Low cost
There is no commitment and no upfront charges to use AWS KMS. You only pay US $1/month to store any key that you create. AWS-managed keys created on your behalf by AWS services are free to keep. You are charged per request when you use or manage your keys beyond the free tier.
Secure
AWS KMS uses hardware security modules (HSMs) that have been validated under FIPS 140-2 or are in the process of being validated to generate and protect keys. Your keys are only used inside these devices; you can never leave them unencrypted. KMS keys are never shared outside the AWS region in which they were created.
Compliance
The security and quality controls in AWS KMS have been certified under multiple compliance schemes to simplify your compliance obligations. AWS KMS allows storing your keys in single-tenant HSMs in AWS CloudHSM instances that you control.
Built-in auditing
AWS KMS is integrated with AWS CloudTrail to record all API requests, including key management actions and usage of your keys. Logging API requests help you manage risk, meet compliance requirements and conduct forensic analysis.