What is the AWS Key Management Service, and how does it work?

Adhi Kesavalu
3 min readMar 2, 2022


AWS KMS is a managed service that works with a number of other AWS services. You may use it to generate, store, and control encryption keys in your apps to encrypt your data. KMS gives you more control over who has access to the data you encrypt. The keys are guaranteed to last for 99.99999999999%

Because keys are kept in several AZs within a region, it also enables high availability. CloudTrail is connected with KMS. You can audit what the key was used for, who it was used by, and when it was used, which helps you satisfy compliance and regulatory requirements.

AWS Key Management Service has a few noteworthy features that you should be aware of:

  • Despite the fact that KMS is a worldwide service, keys are regional, which means they can only be sent within the region in which they were produced.
  • How does Amazon Web Services Key Management Service (AWS KMS) ensure the confidentiality and integrity of your keys? HSMs that are FIPS 140–2 certified are used by KMS (Hardware Security Modules).
  • You can restrict who has access to your master keys and data whether you’re creating your own application or utilizing other AWS services.
  • When importing keys into KMS, keep a duplicate of them so you may re-import them at any time.

What is AWS KMS and how does it encrypt your data?

In reality, it doesn’t. The customer master key (CMK), which can encrypt or decode data up to 4096 bytes, is KMS’s most important resource. We have a lot of data, whether it’s S3, EBS, RDS, or anything else. As a result, we won’t be able to employ CMKs for that. As a result, we employ KMS CMK keys to produce, encrypt, and decrypt data keys that are used to encrypt vast volumes of data outside of KMS. The encryption/decryption is performed by these data keys produced by CMKs.

Call the GenerateData key action to create a data key. AWS KMS then generates data keys using the given CMK. It creates one plaintext data key and one encrypted data key, as shown in the diagram below.

Now that the encryption is complete, you must utilise the decrypt procedure to decode the data. AWS KMS decrypts the encrypted data key stored with the data using the client master key. The plaintext key is returned, which is then used to decode the data. The plaintext key is then erased from memory.

Customer Managed CMKs vs. AWS Managed CMKs

When you wish an AWS service to encrypt data on your behalf, you may specify CMK as the key generator, encryptor, or decryptor. These are CMKs that are handled by the client. Essentially, you have complete control over them, including the ability to enable/disable/rotate master keys, define IAM policies to limit who has access to the keys, and provide rights for other users and services to utilize them.

If you don’t provide a CMK and try to establish an encrypted resource within that service for the first time, the AWS Service will construct an AWS managed CMK. In that instance, AWS is in charge of access control and key policies. Even though you don’t have direct control over the keys, CloudTrail can track AWS managed keys and their usage.

Envelope Encryption
CMKs may be used to produce, encrypt, and decrypt data keys, as previously mentioned. Encrypting data with a plaintext data key, then encrypting the plaintext data with another key, a customer master key, is what envelope encryption entails (CMK).