AWS KMS Explained: Features, Functionality, and Best Practices

Introduction

Encryption ensures that data remains secure and accessible only to authorized users. It protects sensitive information, whether at rest or in transit, and helps meet security and compliance requirements. However, managing encryption keys can be complex.

AWS Key Management Service (KMS) simplifies key management. It allows you to create, store, and manage encryption keys securely while integrating with other AWS services.

In this blog, we’ll explain how AWS KMS works, its features, and how it can help you manage encryption effectively.

What is AWS KMS ?

AWS Key Management Service (KMS) is a fully managed service by Amazon Web Services (AWS) that enables businesses to create, manage, and control cryptographic keys used to secure their data. Organizations can leverage AWS KMS to safeguard data in their applications and AWS services. Additionally, the service supports the generation of data keys that can be utilized outside of AWS KMS. It offers the flexibility of creating both symmetric and asymmetric KMS keys for encryption, decryption, and signing operations.

To ensure maximum security, AWS KMS relies on hardware security modules (HSMs) validated under the FIPS 140-2 Cryptographic Module Validation Program (CMVP). This program, a collaboration between the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security, standardizes the use of validated cryptographic modules for federal and enterprise-grade security.

The service also includes an extensive API for creating and managing keys, along with advanced features like custom key stores. All AWS KMS API calls are secured via Transport Layer Security (TLS) and require proper signing.

AWS KMS Features

1. Key Management

Organizations can create KMS keys, which are used for encryption, decryption, signing, and verification. KMS keys can be of two types:

• Symmetric Keys: A single key is used for both encryption and decryption. These are suitable for most encryption tasks and never leave AWS KMS unencrypted.
• Asymmetric Keys: These keys consist of a public and private key pair, enabling advanced cryptographic operations like digital signatures and public key encryption.

By default, AWS KMS generates the key and stores it securely in FIPS 140-2 validated HSMs. These hardware modules ensure the key is never exposed in plaintext outside of AWS KMS, providing high levels of security.

2. Cryptographic Operations

AWS KMS offers a suite of cryptographic operations that go beyond basic encryption and decryption:

• Data Re-encryption: Re-encrypt ciphertexts using updated keys without decrypting the data.
• Message Signing and Verification: Ensure the integrity and authenticity of data using asymmetric keys.
• Generate and Verify HMAC Tags: Use HMAC KMS keys to generate and verify message authentication codes.
• Random Number Generation: Produce random numbers suitable for cryptographic applications.

3. Access Control

AWS KMS integrates deeply with AWS’s identity and access management(IAM) system to enforce strict access controls:

• Key Policies: Define who can use or manage a specific KMS key.
• IAM Policies: Grant permissions to AWS IAM users, roles, or groups to interact with KMS keys.
• Grants: Allow temporary permissions for specific tasks, such as decrypting data in a specific application.

Every API call made to AWS KMS is authenticated and authorized. This layered access control helps organizations adhere to the principle of least privilege.

4. Logging and Monitoring

AWS KMS integrates with AWS CloudTrail, offering detailed logs of every API call made to the service. These logs provide essential information, such as:

• The identity of the user making the request.
• The key used in the operation.
• The action performed (e.g., Encrypt, Decrypt, CreateKey).

This logging capability is invaluable for auditing, compliance, and forensic investigations. Additionally, AWS Config can be used to monitor key configurations and ensure they meet organizational policies.

5. Integration with AWS Services

AWS KMS seamlessly integrates with almost all AWS services, enabling encryption at rest and in transit. Some key integrations include:

• Amazon S3: Encrypt objects in S3 buckets.
• Amazon RDS: Encrypt database instances and snapshots.
• Amazon DynamoDB: Protect sensitive table data.
• AWS Lambda: Secure environment variables and function code.

6. Compliance and Security

AWS KMS meets stringent compliance requirements, making it suitable for use in highly regulated industries. Key compliance certifications include:

• SOC 1, SOC 2, and SOC 3
• PCI DSS
• FedRAMP High
• ISO 27001, 27017, and 27018

The service is also validated under the FIPS 140-2 Cryptographic Module Validation Program, ensuring compliance with government and enterprise-grade encryption standards.

7. Custom Key Stores

AWS KMS supports custom key stores, allowing organizations to create and manage KMS keys in their own AWS CloudHSM cluster. This feature provides:

• Greater control over key.
• The ability to meet stringent regulatory requirements for key storage.
• Enhanced separation of duties between key creation and key usage.

Custom key stores are ideal for organizations with specific compliance requirements or those needing to maintain exclusive control over key.

8. Multi-Region Keys

For global operations or compliance needs, AWS KMS supports multi-Region keys. These keys can be replicated across AWS Regions, allowing:

• Seamless disaster recovery.
• Cross-Region data replication without additional encryption key management.
• Simplified compliance with data residency regulations.

Multi-Region keys maintain the same security properties as single-Region keys and are synchronized for consistent functionality.

Types of KMS Keys

AWS Key Management Service (KMS) supports several types of keys, categorized by ownership and cryptographic function.

Key Types by Ownership

1. Customer Managed Keys

Customer managed keys are fully controlled by you, giving you authority over their lifecycle, usage, and permissions. These keys are ideal for scenarios where security and customization are paramount, such as defining access policies, monitoring usage, or scheduling deletion.

You can use customer managed keys with AWS services to encrypt data stored on your behalf. However, these keys come with a monthly cost for storage and additional charges for operations like encrypting or decrypting data. For more details, visit the AWS Key Management Service Pricing.

2. AWS Managed Keys

AWS managed keys are a legacy key type automatically created and managed by AWS services. These keys are scoped to specific services and accounts, such as an aws/ebs key for encrypting EBS volumes within your account. They offer convenience for users who prefer AWS to handle key management without requiring direct control.

However, as of 2021, AWS managed keys are no longer being created for new AWS services. Instead, AWS is transitioning to AWS owned keys, which offer more flexible encryption by default. While AWS managed keys are free to exist in your account, you are charged for operations performed by AWS services using these keys.

3. AWS Owned Keys

AWS owned keys are the new standard for encryption-by-default workloads. These keys are entirely managed by AWS and reside in an account controlled by the AWS service. This setup allows AWS to manage their lifecycle, permissions, and cross-account or cross-region sharing seamlessly.

AWS owned keys provide automated, transparent encryption of your data with no additional cost to you. However, they have significant limitations: you cannot modify their policies, audit their activities, or delete them. This makes them ideal for scenarios prioritizing simplicity and automation, while customer managed keys remain the best option for use cases that demand strict control.

AWS owned keys represent a shift toward easier and more automated data protection, reducing the need for direct customer involvement in key management. For workloads requiring convenience, AWS owned keys are the recommended choice, while customer managed keys are suited for cases requiring granular control.

Key Types by Cryptographic Function

AWS KMS supports two types of cryptographic keys for different security needs:

Symmetric Keys:

• Use a single key for encryption and decryption.
• Represents a 256-bit encryption key that never leaves AWS KMS unencrypted.
• AWS services that are integrated with AWS KMS (Amazon DynamoDB, Amazon S3, Amazon Relational Database Service, etc.) use symmetric encryption KMS key to encrypt and decrypt data and do not support Asymmetric KMS keys.
• You can import your own key into a symmetric encryption KMS keys and create symmetric KMS keys in custom key stores.

Note that imported key is supported only for symmetric encryption KMS keys.

A symmetric encryption KMS key type is created by default when you call the create-key API without specifying a value for the --key-spec parameter. The --key-spec parameter defines the KMS key specification, allowing you to choose between symmetric and asymmetric key types. This specification determines not only the type of key material in the KMS key but also the encryption algorithms, signing algorithms, or message authentication code (MAC) algorithms that AWS KMS supports for the key

Asymmetric Keys:

Asymmetric keys consist of a public and private key pair and enable advanced cryptographic operations. These keys are ideal for use cases requiring encryption, decryption, signing, verification, or generating shared secrets.

Key Pair Components

• Private Key:
  • The private key is created and securely stored in AWS KMS.
  • It never leaves AWS KMS unencrypted.
  • The private key can only be used through AWS KMS API calls.
• Public Key:
  
  • The public key can be used both within AWS KMS or externally in applications outside AWS.

Types of Asymmetric KMS Keys

AWS KMS supports three types of asymmetric keys to meet different cryptographic needs:‍

1. RSA KMS Keys:
   • Used for encryption and decryption or signing and verification.
   • A single RSA key cannot perform both encryption and signing simultaneously; you must specify its purpose at the time of creation using the --key-spec parameter.
2. Elliptic Curve (ECC) KMS Keys:
   • Used for signing and verification or generating shared secrets.
   • Similar to RSA keys, ECC keys cannot perform both operations simultaneously; a key is dedicated to one purpose.
3. SM2 KMS Keys (China Regions Only):
   • Used for encryption and decryption, signing and verification, or deriving shared secrets.
   • Like the other types, SM2 keys must be configured for a specific purpose upon creation.

AWS KMS Keys Rotation

AWS KMS provides automatic rotation for customer managed keys with AWS-generated symmetric material, including on-demand rotation. Manual rotation is available for key types that don't support automation, like asymmetric or imported keys.

1. Automatic Key Rotation

AWS KMS automatically rotates the key based on a predefined schedule. By default, the rotation period is set to 365 days, but users can enable or disable this feature as needed. This hands-free approach ensures consistent security practices without manual intervention.

Key Details:

• Automatically generates new keys on the next rotation date.
• Older versions of key are retained and used to decrypt previously encrypted data, ensuring compatibility.

2. On-Demand Key Rotation

On-demand rotation allows customers to initiate key rotation at any time, providing immediate control over the process. This feature is particularly useful in scenarios such as:

• Compromised key.
• A change in security requirements.
• Periodic security audits or regulatory compliance.

Key Details:

• The new key is generated and activated immediately upon the on-demand rotation request.
• Like scheduled rotations, previous key versions are retained for decrypting older ciphertexts.
• Available only for customer managed keys with AWS-generated symmetric key.

To use on-demand rotation:

• Call the RotateKey API or use the AWS Management Console.
• Ensure automatic rotation is already enabled for the key.

3. Manual Key Rotation

Manual rotation is applicable for key types that do not support automatic rotation, including:

• Asymmetric KMS keys.
• HMAC KMS keys.
• KMS keys in custom key stores.
• KMS keys with imported key.

With manual rotation, you create a new key, update your applications to use the new key, and securely retire the old key.

Key Rotation for Customer Managed Keys

AWS KMS provides flexible options for rotating customer managed keys, allowing organizations to enable or disable automatic key rotation based on their requirements. By default, automatic key rotation ensures that key is updated every 365 days, enhancing security while reducing manual effort. You can re-enable or adjust the rotation schedule anytime, resetting the next rotation date accordingly.

Example Rotation Scenario:

• A key created on January 1, 2022, with automatic rotation enabled on March 15, 2022, will rotate on March 15, 2023, and every year thereafter.

Special Scenarios:

• Disabling Rotation: If automatic rotation is turned off, the existing key remains active. Upon reactivation, AWS KMS schedules the next rotation based on the enablement date.
• Disabled Keys: Key rotation pauses for disabled keys. If re-enabled after a missed rotation date, AWS KMS immediately rotates the material or resumes the original schedule.
• Pending Deletion: Keys pending deletion do not rotate. If deletion is canceled, rotation resumes based on the prior schedule or occurs immediately if overdue.

Key Rotation for AWS Managed and AWS Owned Keys

• AWS Managed Keys: Automatically rotated annually. As of May 2022, AWS updated the schedule from three years to one year, ensuring stronger key lifecycle management.
• AWS Owned Keys: Rotation is fully handled by the AWS service that created the key, with no user-configurable options. The rotation schedule is dictated by the service’s specific requirements.

Key Management and Usage

AWS KMS retains all key versions for customer managed keys until the key is deleted, ensuring seamless access to historical data. Rotated key material is automatically selected during encryption or decryption operations, removing the need for manual version management.

Rotation Period and Customization

By default, AWS KMS rotates keys every 365 days, but you can customize this interval using the RotationPeriodInDays parameter. Any changes to rotation settings reset the schedule and affect subsequent rotation dates.

Special Scenarios

• Disabled Rotation: Reactivation adjusts the rotation timeline.
• Disabled Keys: Rotation resumes or triggers immediately when re-enabled.
• Pending Deletion: Resuming canceled deletion reinstates the previous rotation status.

AWS KMS vs AWS Secrets Manager

AWS Key Management Service (KMS) and AWS Secrets Manager are both essential tools for securing sensitive information, but their roles are often misunderstood. KMS is designed for managing encryption keys, while Secrets Manager focuses on securely storing and rotating secrets like passwords and API keys. Their overlapping functionality and close integration can make it easy to confuse their purposes.

How They Differ

1. Purpose:
   • AWS KMS: Manages encryption keys used across AWS services and applications.
   • AWS Secrets Manager: Stores, retrieves, and rotates sensitive information such as database credentials and API keys.
2. Data Encryption:
   • AWS KMS: Directly encrypts and decrypts data using managed keys.
   • AWS Secrets Manager: Uses KMS keys to generate 256-bit AES data keys for encrypting secret values. The plaintext data key encrypts the secret outside AWS KMS, and an encrypted copy of the data key is stored with the secret metadata.
3. Rotation:
   • AWS KMS: Automatically or manually rotates encryption keys for customer managed keys.
   • AWS Secrets Manager: Automates secret rotation with Lambda functions, ensuring application credentials stay up to date.
4. Integration:
   • AWS KMS: Used directly by services like S3, DynamoDB, and RDS to encrypt data at rest.
   • AWS Secrets Manager: Simplifies secret access for applications and services while securing sensitive data.

How They Work Together

Secrets Manager relies on AWS KMS for envelope encryption. When a secret value changes, Secrets Manager requests a new data key from KMS. The data key encrypts the secret value, and its encrypted version is stored in the secret metadata. This layered approach ensures both the key and secret remain secure.

When to Use Each

• Use AWS KMS for managing encryption keys and securing data at rest.
• Use AWS Secrets Manager for storing, retrieving, and rotating application secrets.

AWS KMS Pricing

AWS Key Management Service (KMS) provides flexible and straightforward pricing, with charges based on key creation, storage, API usage, and optional features like key rotation. Here’s everything you need to know:

1. Key Creation and Storage Costs

• Each customer managed KMS key costs $1/month (prorated hourly). This applies to:
  • Symmetric keys
  • Asymmetric keys
  • HMAC keys
  • Multi-Region keys (both primary and replica)
  • Keys with imported key material
  • Keys managed through AWS CloudHSM or external key stores (XKS)
• AWS managed keys and AWS owned keys are free to create and store, but charges may apply for API calls made with these keys if the free tier limits are exceeded.

2. Key Rotation Costs

• For automatic or on-demand rotation:
  • The first two rotations add $1/month per rotation (prorated hourly).
  • No additional charges apply for subsequent rotations.

3. API Request Costs

The cost of API requests varies by the operation type:

• $0.03 per 10,000 requests for most operations, including those involving RSA 2048 keys.
• $0.10 per 10,000 requests for ECC GenerateDataKeyPair operations.
• $0.15 per 10,000 requests for asymmetric operations (except RSA 2048).
• $12.00 per 10,000 requests for RSA GenerateDataKeyPair operations.

Note: Charges apply even for AWS managed keys when you make API calls using these keys.

4. Using AWS CloudHSM or External Key Store (XKS)

If you use AWS CloudHSM or an external key manager:

• You pay $1/month per key (prorated hourly).
• Additional AWS CloudHSM charges apply.

5. Free Tier

AWS KMS offers a free tier of 20,000 API requests per month, available across all supported Regions.

Exclusions:

• The free tier does not cover requests involving asymmetric KMS key operations like GenerateDataKeyPair or GetPublicKey.

6. Special Cases

• Keys Scheduled for Deletion: No charges apply during the deletion waiting period. If deletion is canceled, charges resume as if the key was never scheduled for deletion.
• Data Keys: There’s no monthly charge for data keys or data key pairs generated by AWS KMS, apart from the API request cost.

AWS KMS Best Practices

AWS Key Management Service (KMS) plays a vital role in safeguarding your data through the creation and management of cryptographic keys. To maximize security, ensure compliance, and streamline operations, adopting best practices for encryption and key management is essential. Here's a guide to help you make the most of AWS KMS:

Key Types in AWS KMS

AWS KMS supports three key types, each serving specific use cases:

1. Customer Managed Keys: Fully controlled by you, allowing granular access control and customization.
2. AWS Managed Keys: Automatically created and managed by AWS services in your account.
3. AWS Owned Keys: Managed entirely by AWS services for use across multiple accounts.

For maximum control, customer managed keys are preferred, as they offer advanced features such as key rotation, tagging, and alias management.

Key Policies and Access Control

Key policies are the cornerstone of KMS security. They define who can access and manage your KMS keys. Follow these principles to secure your keys effectively:

• Least Privilege: Grant only the permissions required. Avoid using overly broad permissions like kms:* in IAM or key policies.
• Separation of Duties: Separate roles for administrators (who create or delete keys) and users (who encrypt or decrypt data).
• Restrict Permissions: Use condition keys such as kms:ViaService to limit key usage to specific AWS services.
• Multi-Region Keys: Define region-specific policies to replicate and manage keys only where necessary, such as for compliance or disaster recovery.

Monitoring and Logging

• CloudTrail Logs: Enable AWS CloudTrail to log all AWS KMS API calls, recording key events such as usage, updates, or deletions. Include event attributes like the source IP address and requester.
• Event Notifications: Set up notifications for critical actions (e.g., key creation, policy updates, or key material import). Use automated responses, like Lambda functions, to handle unauthorized actions or potential incidents.
• AWS Config Rules: Implement rules like iam-customer-policy-blocked-kms-actions to detect and block unauthorized access to decryption actions.

Compliance and Organizational Security

• Service Control Policies (SCPs): Use SCPs in AWS Organizations to block unauthorized deletion of keys and enforce organizational security standards.
• Encryption Context: Avoid including sensitive information in the encryption context, as it’s stored in plaintext in CloudTrail logs.

Additional Best Practices

1. Grant Management: Use grants to provide temporary permissions for specific tasks. Avoid combining permissions for multiple related keys in a single grant.
2. Key Rotation: Regularly rotate keys to reduce exposure. Automate this process for customer managed keys to simplify management.
3. Multi-Region Keys: Restrict permissions to replicate keys only into required Regions and limit usage to essential tasks.

Conclusion

AWS Key Management Service (KMS) stands out as a robust and secure solution for managing cryptographic keys across your AWS environment. By simplifying encryption through features like automatic and on-demand key rotation, tight integration with AWS services, and compliance with industry standards, AWS KMS enables organizations to protect their data with ease and efficiency.

Whether you need symmetric or asymmetric encryption, automated key rotation, or advanced access controls, AWS KMS delivers a comprehensive suite of tools to meet diverse security and compliance needs. Its seamless integration with AWS services like S3, RDS, and DynamoDB ensures secure data encryption at scale, while audit capabilities through CloudTrail provide the transparency needed for regulatory adherence.

By leveraging AWS KMS, organizations can ensure their encryption strategies are not only robust but also manageable, freeing up resources to focus on core business objectives.