📖 What is AWS Key Management Service (KMS)?
AWS Key Management Service (KMS) is a managed service that facilitates the creation and control of cryptographic keys used for encrypting data. It supports symmetric and asymmetric encryption, allowing you to generate, store, and manage keys used with other AWS services and your applications.
"A critical exam topic. Understand the difference between AWS managed keys (automatic rotation, simpler) and customer managed keys (full control, custom rotation policies). Know how KMS integrates with services like S3, EBS, and RDS for encryption at rest. Distinguish KMS from CloudHSM."
📚 Certification: AWS Certified Cloud Practitioner (CLF-C02)
🔑 What are the Key Concepts of AWS Key Management Service (KMS)?
- ▸ KMS customer managed keys (CMKs) offer granular control over key policies, rotation schedules, and usage, unlike AWS managed keys.
- ▸ KMS integrates with numerous AWS services like S3, EBS, RDS, and Lambda to enable encryption at rest and in transit.
- ▸ Key policies define permissions for who can use a CMK, controlling access based on AWS accounts, IAM users, and roles.
- ▸ KMS supports both symmetric (single key for encryption/decryption) and asymmetric (key pair: public/private) encryption.
- ▸ Key rotation is a security best practice; KMS automatically rotates AWS managed keys, while CMKs can be configured for custom rotation.
🎯 How does AWS Key Management Service (KMS) appear on the CLF-C02 Exam?
You may be asked to identify the AWS service best suited for centrally managing encryption keys used across multiple AWS accounts and regions.
A scenario might describe a requirement to encrypt EBS volumes at rest – determine which KMS feature or integration would fulfill this need.
Expect questions about choosing between AWS managed keys and customer managed keys based on compliance requirements and control needs.
❓ Frequently Asked Questions
When would I choose a customer managed key over an AWS managed key?
Choose CMKs when you need full control over the key lifecycle, including rotation policies, key material import, and detailed access control through key policies, often for compliance reasons.
What is the difference between KMS and CloudHSM?
KMS is a managed service where AWS manages the key material and hardware. CloudHSM allows you to control the HSM hardware and import your own keys, offering greater isolation but more operational overhead.
Can I use KMS keys to encrypt data outside of AWS?
While KMS primarily encrypts data within AWS, you can use the KMS API to encrypt data locally and then send the encrypted data to AWS. However, decryption must occur within AWS.