Reading35 min read·Module 1High exam weight

AWS KMS (Key Management Service)

Key concepts

  • Customer managed keys (CMKs)

  • AWS managed keys

  • Key policies and grants

  • Envelope encryption

  • Multi-region keys

Overview

AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the cryptographic keys used to protect your data. KMS is integrated with most AWS services and provides centralized key management with full audit capability through CloudTrail.

Understanding KMS is critical for the SAA-C03 exam because it's the foundation for encryption across AWS. You must understand key types, key policies, grants, envelope encryption, and how KMS integrates with other services. This is a high-weight exam topic.

HSM-Based Security

KMS keys never leave AWS KMS unencrypted. All cryptographic operations happen within KMS hardware security modules (HSMs) that are validated under FIPS 140-2.

Exam Tip

Focus on key types (AWS managed vs Customer managed), key policies and grants, envelope encryption, multi-region keys, and cost implications. KMS questions appear frequently across all exam domains.


Key Concepts

KMS Key Types

KMS Key Types
Figure 1: Three types of KMS keys with different management responsibilities

KMS Key Types

There are three types of KMS keys, each with different levels of control and management:

KMS Key Types

Key TypeCreationManagementRotationUse Case
AWS Owned KeysAWS createsAWS managesVariesShared across accounts, free
AWS Managed KeysAWS createsAWS managesAnnual (automatic)Per-service keys (aws/s3, aws/ebs)
Customer Managed KeysYou createYou manageOptional (configurable)Full control, custom policies

AWS Managed Keys

AWS managed keys are created automatically when you first use encryption in an AWS service:

AWS Managed Keys

TEXTAWS Managed Keys
AWS Managed Key Format: aws/service-name

Examples:
├── aws/s3         → Amazon S3 encryption
├── aws/ebs        → EBS volume encryption
├── aws/rds        → RDS database encryption
├── aws/lambda     → Lambda environment variables
├── aws/secretsmanager → Secrets Manager secrets
└── aws/dynamodb   → DynamoDB encryption

Characteristics:
- Created automatically on first use
- Cannot modify key policy
- Cannot share across accounts
- Automatic annual rotation
- No monthly key fee
- Cannot use for client-side encryption

Customer Managed Keys (CMKs)

Customer managed keys provide full control over key lifecycle and access:

Customer Managed Keys

TEXTCustomer Managed Keys
Customer Managed Key Features:

Control:
├── Define key policies
├── Enable/disable keys
├── Set key rotation
├── Create aliases
├── Tag keys
└── Delete keys (with waiting period)

Usage:
├── Encrypt/decrypt data
├── Generate data keys
├── Sign/verify
└── Derive shared secrets (ECDH)

Cross-Account:
├── Share via key policy
├── Use with grants
└── Use in other services

Key Policies

Every KMS key must have a key policy. Key policies are the primary way to control access to KMS keys.

JSONDefault Key Policy
{
  "Version": "2012-10-17",
  "Id": "key-default-1",
  "Statement": [
    {
      "Sid": "Enable IAM policies",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}
Default Key Policy Requirement

The default key policy enables IAM policies. Without this statement, IAM policies granting KMS permissions have no effect.

Key Policy vs IAM Policy

Key Policy vs IAM Policy

AspectKey PolicyIAM Policy
ScopeSingle keyMultiple keys
RequiredYes (every key has one)Optional
Cross-accountRequired for external accessCannot grant cross-account
Principal typesAWS accounts, IAM users/rolesIAM users/roles, services
JSONKey Policy for Cross-Account Access
{
  "Sid": "Allow external account",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::444455556666:root"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:GenerateDataKey"
  ],
  "Resource": "*"
}

Grants

Grants provide temporary, scoped permissions to KMS keys without modifying the key policy:

KMS Grants
Figure 2: Grants enable delegation of KMS permissions

KMS Grants

SHCreate and Use KMS Grant
# Create a grant for an EC2 instance role
aws kms create-grant \
  --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
  --grantee-principal arn:aws:iam::111122223333:role/EC2Role \
  --operations Decrypt Encrypt \
  --retiring-principal arn:aws:iam::111122223333:role/AdminRole

# Response includes GrantToken for immediate use
{
  "GrantToken": "AQpAM...",
  "GrantId": "1a2b3c..."
}

Grant Characteristics:

  • Immediate effect (use GrantToken)
  • Eventual consistency (propagates in ~5 minutes)
  • Can be retired or revoked
  • Commonly used by AWS services internally

How It Works

Envelope Encryption

Envelope Encryption
Figure 3: Envelope encryption uses data keys for efficiency
Envelope Encryption

Envelope encryption is how KMS encrypts data larger than 4 KB. A data key encrypts the data, and the KMS key encrypts the data key.

Envelope Encryption Process

TEXTEnvelope Encryption Process
ENCRYPT:
1. Call GenerateDataKey API
   └── KMS returns:
       ├── Plaintext data key (use for encryption)
       └── Encrypted data key (store with data)

2. Encrypt data with plaintext data key (AES-256)

3. Store:
   ├── Encrypted data
   └── Encrypted data key (envelope)

4. Discard plaintext data key from memory

DECRYPT:
1. Retrieve encrypted data key

2. Call Decrypt API
   └── KMS decrypts data key using KMS key

3. Decrypt data with plaintext data key

4. Discard plaintext data key from memory

Why Envelope Encryption?

  • Direct KMS encryption limited to 4 KB
  • Reduces KMS API calls (one per data key, not per block)
  • Enables local encryption/decryption
  • Faster for large data volumes

Data Key Caching

For high-volume encryption, use the AWS Encryption SDK with data key caching:

TEXTData Key Caching Benefits
Without caching:
├── 10,000 encryptions = 10,000 GenerateDataKey calls
├── Latency: ~50ms per call
└── Cost: Higher KMS usage

With caching:
├── 10,000 encryptions = ~10 GenerateDataKey calls
├── Cache reuses data keys (by byte limit or time)
└── Cost: Much lower KMS usage

Cache limits (configurable):
├── Max age: How long to cache key
├── Max bytes: Encrypt up to X bytes
├── Max messages: Encrypt up to X messages
└── Security tradeoff: More reuse = more exposure if key compromised

Multi-Region Keys

KMS Multi-Region Keys
Figure 4: Multi-region keys replicate across regions for DR and low-latency

Multi-Region Keys

Multi-region keys share the same key material across multiple regions:

TEXTMulti-Region Key Structure
Primary Key (us-east-1):
  Key ID: mrk-1234abcd...
  ARN: arn:aws:kms:us-east-1:111122223333:key/mrk-1234...
  Type: Primary

Replica Key (eu-west-1):
  Key ID: mrk-1234abcd...  ← Same key ID!
  ARN: arn:aws:kms:eu-west-1:111122223333:key/mrk-1234...
  Type: Replica

Use Cases:
├── Disaster recovery
├── Global data with local access
├── Signed data verification across regions
└── Low-latency decryption in multiple regions

Key Point: Data encrypted in one region can be decrypted in another

Key Rotation

Automatic Key Rotation

Automatic Key Rotation

TEXTAutomatic Key Rotation
Automatic Rotation (Customer Managed Keys):
├── Period: Every 365 days (configurable 90-2560 days)
├── Creates new key material
├── Retains old key material indefinitely
├── Same key ID and ARN
├── Old data automatically decrypted with old material
└── New data encrypted with new material

AWS Managed Keys:
└── Automatic rotation every ~3 years (varies by service)

Cannot rotate:
├── Imported key material
├── Asymmetric keys
└── Keys in custom key stores (CloudHSM)

Manual Key Rotation

For keys that don't support automatic rotation:

TEXTManual Rotation Strategy
1. Create new KMS key

2. Update alias to point to new key:
   aws kms update-alias \
     --alias-name alias/my-app-key \
     --target-key-id new-key-id

3. Applications using alias automatically use new key

4. Keep old key for decryption of existing data

5. Re-encrypt data when practical (optional)

6. Schedule old key deletion after data migration

Use Cases

Use Case 1: S3 Encryption with Customer Managed Key

Scenario: Company requires using its own keys for S3 encryption with full audit trail.

KMS S3 Encryption
Figure 5: Customer managed key for S3 provides control and audit

Solution:

  • Create customer managed KMS key
  • Configure S3 bucket default encryption with SSE-KMS
  • Enable CloudTrail logging for KMS key usage
  • Audit who decrypted what objects

Use Case 2: Cross-Account Encrypted Data Sharing

Scenario: Production account stores encrypted data; analytics account needs to read it.

Solution:

  1. Create KMS key in production account
  2. Add cross-account access in key policy:
JSONCross-Account Key Policy
{
  "Sid": "AllowAnalyticsAccount",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::ANALYTICS_ACCOUNT:role/DataAnalysisRole"
  },
  "Action": [
    "kms:Decrypt",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}
  1. Analytics account role also needs IAM permissions for KMS
  2. Analytics role can now decrypt data from S3

Use Case 3: Encrypt EBS Volumes by Default

Scenario: Compliance requires all EBS volumes encrypted with company-managed keys.

Solution:

  • Create customer managed KMS key for EBS
  • Enable EBS encryption by default at account level
  • Set default KMS key to customer managed key
  • All new volumes automatically encrypted
SHEnable Default EBS Encryption (CLI)
# Enable default encryption
aws ec2 enable-ebs-encryption-by-default

# Set default key (customer managed)
aws ec2 modify-ebs-default-kms-key-id \
  --kms-key-id alias/ebs-default-key

Use Case 4: Disaster Recovery with Multi-Region Keys

Scenario: Application encrypts data in us-east-1; need to decrypt in eu-west-1 for DR.

Solution:

  • Create multi-region primary key in us-east-1
  • Create replica in eu-west-1
  • Replicate encrypted S3 data to eu-west-1
  • DR application can decrypt using regional replica
  • Same key ID works in both regions

Best Practices

Key Management Best Practices

  1. Use aliases for key abstraction

    • Reference keys by alias, not key ID
    • Easier rotation and key replacement
    • Example: alias/production-data-key
  2. Enable automatic rotation for customer managed keys

    • Set appropriate rotation period (365 days default)
    • KMS handles rotation transparently
    • Old data remains decryptable
  3. Use separate keys per environment/application

    • Production vs development keys
    • Blast radius reduction
    • Independent key policies
  4. Implement least privilege in key policies

    • Grant only required actions
    • Use conditions for additional control
    • Separate encrypt and decrypt permissions when possible

Security Best Practices

  1. Enable CloudTrail logging for all KMS operations

    • Track who used keys and when
    • Detect unauthorized access attempts
    • Required for compliance
  2. Use grants for temporary permissions

    • Avoid modifying key policies frequently
    • Time-limited access
    • Easy to revoke
  3. Set key deletion waiting period to maximum (30 days)

    • Recovery time if accidental deletion
    • Review pending deletions regularly
  4. Monitor with CloudWatch

    • Set alarms for unusual API activity
    • Track ThrottlingException errors
    • Monitor key state changes

Cost Optimization

  1. Use AWS managed keys when possible

    • No monthly key fee
    • Suitable for most use cases
  2. Consider data key caching for high volume

    • Reduces GenerateDataKey calls
    • Use AWS Encryption SDK
  3. Clean up unused keys

    • Disabled keys still incur charges
    • Schedule deletion for unneeded keys

Common Exam Scenarios

Exam Scenarios

ScenarioSolutionWhy
S3 data must be encrypted with company-controlled keysCustomer managed KMS key with SSE-KMSFull control and audit
Share encrypted snapshots cross-accountAdd external account to key policyKey policy required for cross-account
Encrypt data larger than 4 KBEnvelope encryption with data keysDirect KMS limited to 4 KB
Need same key in multiple regionsMulti-region keysSingle key replicated
Temporary KMS access for EC2Create KMS grantNo key policy modification needed
Track who decrypted S3 objectsCloudTrail + KMS key loggingAll KMS calls logged
Comply with key rotation requirementsEnable automatic rotationTransparent rotation every 365 days
Application references key by nameUse key aliasAbstraction layer for key ID

Common Pitfalls

Pitfall 1: Key Policy Missing IAM Statement

Mistake: Creating key policy without "Enable IAM policies" statement.

Why it fails: IAM policies have no effect on the key

Correct Approach: Include root account statement to enable IAM integration

Pitfall 2: Cross-Account Access Without Key Policy

Mistake: Trying to use KMS key from another account with only IAM permissions.

Why it fails: Key policy is required for external account access

Correct Approach: Add external account principal to key policy AND grant IAM permissions

Pitfall 3: Assuming All Keys Support Rotation

Mistake: Enabling automatic rotation on imported key material.

Why it fails: Imported keys don't support automatic rotation

Correct Approach: Use manual rotation or use KMS-generated key material

Pitfall 4: Deleting Key with Encrypted Data

Mistake: Immediately deleting KMS key with associated encrypted data.

Why it fails: Data becomes permanently unrecoverable

Correct Approach: Set 30-day waiting period; verify no dependent resources

Pitfall 5: Single Region Key for Multi-Region Data

Mistake: Using single-region key for data that needs cross-region access.

Why it fails: Cross-region data cannot be decrypted

Correct Approach: Use multi-region keys for cross-region scenarios



Quick Reference

KMS Limits

KMS Limits

ResourceDefault Limit
KMS keys per region100,000
Aliases per KMS key50
Grants per KMS key50,000
Key policy size32 KB
Direct encryption size4 KB
Cryptographic operations5,500-30,000/sec (varies by key type)

KMS Pricing

KMS Pricing

ComponentCost
Customer managed keys$1/month
AWS managed keysFREE
Symmetric cryptographic operations$0.03 per 10,000 requests
Asymmetric operations (RSA)$0.03-$0.15 per 10,000
Multi-region key replica$1/month per replica

Key Alias Format

TEXTKey Aliases
Alias Format: alias/key-name

Examples:
├── alias/aws/s3          (AWS managed - cannot create)
├── alias/my-app-key      (Customer managed)
├── alias/production/db   (Hierarchical naming)
└── alias/mrk-replica     (Multi-region)

Rules:
├── Must start with alias/
├── Cannot start with alias/aws/ (reserved)
├── Unique within account and region
└── Can point to only one key

CLI Commands

SHCommon KMS CLI Commands
# Create customer managed key
aws kms create-key \
  --description "My application key" \
  --key-usage ENCRYPT_DECRYPT \
  --key-spec SYMMETRIC_DEFAULT

# Create alias
aws kms create-alias \
  --alias-name alias/my-app-key \
  --target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab

# Enable key rotation
aws kms enable-key-rotation \
  --key-id alias/my-app-key

# Encrypt data (< 4 KB)
aws kms encrypt \
  --key-id alias/my-app-key \
  --plaintext fileb://data.txt \
  --output text --query CiphertextBlob | base64 --decode > encrypted.bin

# Generate data key (for envelope encryption)
aws kms generate-data-key \
  --key-id alias/my-app-key \
  --key-spec AES_256

Test Your Knowledge

Q

A company needs to share encrypted EBS snapshots with a partner account. What is required for the partner to decrypt the snapshots?

AOnly IAM permissions in the partner account
BKey policy must grant access to partner account
CCopy the KMS key to partner account
DExport the KMS key and import in partner account
Q

What is the maximum size of data that can be encrypted directly with a KMS key?

A256 KB
B64 KB
C4 KB
D1 MB
Q

A company requires the same encryption key to be used in us-east-1 and eu-west-1 for disaster recovery. What is the best solution?

ACopy the key manually between regions
BCreate a multi-region key with replica
CUse AWS managed keys (automatically global)
DExport and import key material
Q

Which KMS key type allows you to customize the key policy?

AAWS owned keys
BAWS managed keys
CCustomer managed keys
DAll key types

Further Reading

Related services

KMSCloudHSM