Amazon Key Management Service Features

Amazon Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. Master keys are created as resources in your own account and are used to control access to data encryption keys that encrypt and decrypt your data. You can create new master keys, and easily control who can use or manage them. Amazon KMS is integrated with other Amazon Web Services services making it easy to encrypt data you store in those services and control access to the keys that can decrypt it.

You can manage your master keys from the Amazon Web Services Management Console or by using the Amazon SDK or Amazon Command Line Interface (CLI). Amazon KMS is integrated with Amazon CloudTrail, which provides you the ability to audit who used which keys, on which resources, and when. Amazon KMS also enables developers to easily add encryption functionality to their application code either directly through encrypt and decrypt APIs or through its integration with the Amazon Web Services Encryption SDK.

Amazon KMS is designed so that no one, including the service operators, can retrieve plaintext master keys from the service. The service uses government-approved hardware security modules (HSMs) to protect the confidentiality and integrity of your keys. Your KMS master keys are never transmitted outside of the Amazon Web Services region in which they were created and can only be used within that region.

To help ensure that your keys are never lost and that your data is always retrievable, KMS stores multiple copies of encrypted versions of your keys in systems that are designed for 99.999999999% durability.

Amazon KMS is designed to be a highly available service by using a redundant architecture spanning multiple availability zones in each region. As most Amazon Web Services services rely on Amazon KMS for their ability to encrypt and decrypt customer data, KMS is architected to provide the necessary level of availability to support the rest of Amazon Web Services and is backed by the Amazon KMS Service Level Agreement.

Start with a single master key and add more as you need them. With Amazon KMS you can create and manage as many master keys as you need, and you can request an unlimited number of data keys for use in your local applications. We support high request rates at low latency to satisfy your workloads within and outside Amazon Web Services.

You can choose to have Amazon KMS automatically rotate your master keys once per year without the need to re-encrypt data that was already encrypted. After rotating keys, KMS automatically saves older versions of your key material so that you can decrypt previously encrypted data.

The following Amazon services are integrated with Amazon KMS. These services use Amazon KMS customer master keys (CMKs) in your account to protect the data that the service receives, stores, or manages for you. Each service lets you choose a CMK that you create and manage, or a CMK that the service creates and manages on your behalf.

If you have Amazon CloudTrail enabled for your Amazon Web Services account, each request you make to Amazon KMS is recorded in a log file that is delivered to the Amazon S3 bucket that you specified when you enabled Amazon CloudTrail. The information recorded includes details of the user, time, date, API action and, when relevant, the key used.

Amazon KMS provides you the capability to create and use asymmetric CMKs and data key pairs. You can designate a CMK for use as a signing key pair or an encryption key pair. Key pair generation and asymmetric cryptographic operations using these CMKs are performed inside HSMs. You can request the public portion of the asymmetric CMK for use in your local applications, while the private portion never leaves the service.

You can also request the service to generate an asymmetric data key pair. This operation returns a plaintext copy of the public key and private key as well as a copy of the private key encrypted under a symmetric CMK that you specify. You can use the plaintext public or private key in your local application and store the encrypted copy of the private key for future use.