AWS KMS (Key Management Service)
Key concepts
Customer managed keys (CMKs)
AWS managed keys
Key policies and grants
Envelope encryption
Multi-region keys
Overview
AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the cryptographic keys used to protect your data. KMS is integrated with most AWS services and provides centralized key management with full audit capability through CloudTrail.
Understanding KMS is critical for the SAA-C03 exam because it's the foundation for encryption across AWS. You must understand key types, key policies, grants, envelope encryption, and how KMS integrates with other services. This is a high-weight exam topic.
HSM-Based Security
KMS keys never leave AWS KMS unencrypted. All cryptographic operations happen within KMS hardware security modules (HSMs) that are validated under FIPS 140-2.
Focus on key types (AWS managed vs Customer managed), key policies and grants, envelope encryption, multi-region keys, and cost implications. KMS questions appear frequently across all exam domains.
Key Concepts
KMS Key Types

KMS Key Types
There are three types of KMS keys, each with different levels of control and management:
KMS Key Types
| Key Type | Creation | Management | Rotation | Use Case |
|---|---|---|---|---|
| AWS Owned Keys | AWS creates | AWS manages | Varies | Shared across accounts, free |
| AWS Managed Keys | AWS creates | AWS manages | Annual (automatic) | Per-service keys (aws/s3, aws/ebs) |
| Customer Managed Keys | You create | You manage | Optional (configurable) | Full control, custom policies |
AWS Managed Keys
AWS managed keys are created automatically when you first use encryption in an AWS service:
AWS Managed Keys
AWS Managed Key Format: aws/service-name
Examples:
├── aws/s3 → Amazon S3 encryption
├── aws/ebs → EBS volume encryption
├── aws/rds → RDS database encryption
├── aws/lambda → Lambda environment variables
├── aws/secretsmanager → Secrets Manager secrets
└── aws/dynamodb → DynamoDB encryption
Characteristics:
- Created automatically on first use
- Cannot modify key policy
- Cannot share across accounts
- Automatic annual rotation
- No monthly key fee
- Cannot use for client-side encryptionCustomer Managed Keys (CMKs)
Customer managed keys provide full control over key lifecycle and access:
Customer Managed Keys
Customer Managed Key Features:
Control:
├── Define key policies
├── Enable/disable keys
├── Set key rotation
├── Create aliases
├── Tag keys
└── Delete keys (with waiting period)
Usage:
├── Encrypt/decrypt data
├── Generate data keys
├── Sign/verify
└── Derive shared secrets (ECDH)
Cross-Account:
├── Share via key policy
├── Use with grants
└── Use in other servicesKey Policies
Every KMS key must have a key policy. Key policies are the primary way to control access to KMS keys.
{
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
]
}Default Key Policy Requirement
The default key policy enables IAM policies. Without this statement, IAM policies granting KMS permissions have no effect.
Key Policy vs IAM Policy
Key Policy vs IAM Policy
| Aspect | Key Policy | IAM Policy |
|---|---|---|
| Scope | Single key | Multiple keys |
| Required | Yes (every key has one) | Optional |
| Cross-account | Required for external access | Cannot grant cross-account |
| Principal types | AWS accounts, IAM users/roles | IAM users/roles, services |
{
"Sid": "Allow external account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444455556666:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*"
}Grants
Grants provide temporary, scoped permissions to KMS keys without modifying the key policy:

KMS Grants
# Create a grant for an EC2 instance role
aws kms create-grant \
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
--grantee-principal arn:aws:iam::111122223333:role/EC2Role \
--operations Decrypt Encrypt \
--retiring-principal arn:aws:iam::111122223333:role/AdminRole
# Response includes GrantToken for immediate use
{
"GrantToken": "AQpAM...",
"GrantId": "1a2b3c..."
}Grant Characteristics:
- Immediate effect (use GrantToken)
- Eventual consistency (propagates in ~5 minutes)
- Can be retired or revoked
- Commonly used by AWS services internally
How It Works
Envelope Encryption

Envelope Encryption
Envelope encryption is how KMS encrypts data larger than 4 KB. A data key encrypts the data, and the KMS key encrypts the data key.
Envelope Encryption Process
ENCRYPT:
1. Call GenerateDataKey API
└── KMS returns:
├── Plaintext data key (use for encryption)
└── Encrypted data key (store with data)
2. Encrypt data with plaintext data key (AES-256)
3. Store:
├── Encrypted data
└── Encrypted data key (envelope)
4. Discard plaintext data key from memory
DECRYPT:
1. Retrieve encrypted data key
2. Call Decrypt API
└── KMS decrypts data key using KMS key
3. Decrypt data with plaintext data key
4. Discard plaintext data key from memoryWhy Envelope Encryption?
- Direct KMS encryption limited to 4 KB
- Reduces KMS API calls (one per data key, not per block)
- Enables local encryption/decryption
- Faster for large data volumes
Data Key Caching
For high-volume encryption, use the AWS Encryption SDK with data key caching:
Without caching:
├── 10,000 encryptions = 10,000 GenerateDataKey calls
├── Latency: ~50ms per call
└── Cost: Higher KMS usage
With caching:
├── 10,000 encryptions = ~10 GenerateDataKey calls
├── Cache reuses data keys (by byte limit or time)
└── Cost: Much lower KMS usage
Cache limits (configurable):
├── Max age: How long to cache key
├── Max bytes: Encrypt up to X bytes
├── Max messages: Encrypt up to X messages
└── Security tradeoff: More reuse = more exposure if key compromisedMulti-Region Keys

Multi-Region Keys
Multi-region keys share the same key material across multiple regions:
Primary Key (us-east-1):
Key ID: mrk-1234abcd...
ARN: arn:aws:kms:us-east-1:111122223333:key/mrk-1234...
Type: Primary
Replica Key (eu-west-1):
Key ID: mrk-1234abcd... ← Same key ID!
ARN: arn:aws:kms:eu-west-1:111122223333:key/mrk-1234...
Type: Replica
Use Cases:
├── Disaster recovery
├── Global data with local access
├── Signed data verification across regions
└── Low-latency decryption in multiple regions
Key Point: Data encrypted in one region can be decrypted in anotherKey Rotation
Automatic Key Rotation
Automatic Key Rotation
Automatic Rotation (Customer Managed Keys):
├── Period: Every 365 days (configurable 90-2560 days)
├── Creates new key material
├── Retains old key material indefinitely
├── Same key ID and ARN
├── Old data automatically decrypted with old material
└── New data encrypted with new material
AWS Managed Keys:
└── Automatic rotation every ~3 years (varies by service)
Cannot rotate:
├── Imported key material
├── Asymmetric keys
└── Keys in custom key stores (CloudHSM)Manual Key Rotation
For keys that don't support automatic rotation:
1. Create new KMS key
2. Update alias to point to new key:
aws kms update-alias \
--alias-name alias/my-app-key \
--target-key-id new-key-id
3. Applications using alias automatically use new key
4. Keep old key for decryption of existing data
5. Re-encrypt data when practical (optional)
6. Schedule old key deletion after data migrationUse Cases
Use Case 1: S3 Encryption with Customer Managed Key
Scenario: Company requires using its own keys for S3 encryption with full audit trail.

Solution:
- Create customer managed KMS key
- Configure S3 bucket default encryption with SSE-KMS
- Enable CloudTrail logging for KMS key usage
- Audit who decrypted what objects
Use Case 2: Cross-Account Encrypted Data Sharing
Scenario: Production account stores encrypted data; analytics account needs to read it.
Solution:
- Create KMS key in production account
- Add cross-account access in key policy:
{
"Sid": "AllowAnalyticsAccount",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ANALYTICS_ACCOUNT:role/DataAnalysisRole"
},
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*"
}- Analytics account role also needs IAM permissions for KMS
- Analytics role can now decrypt data from S3
Use Case 3: Encrypt EBS Volumes by Default
Scenario: Compliance requires all EBS volumes encrypted with company-managed keys.
Solution:
- Create customer managed KMS key for EBS
- Enable EBS encryption by default at account level
- Set default KMS key to customer managed key
- All new volumes automatically encrypted
# Enable default encryption
aws ec2 enable-ebs-encryption-by-default
# Set default key (customer managed)
aws ec2 modify-ebs-default-kms-key-id \
--kms-key-id alias/ebs-default-keyUse Case 4: Disaster Recovery with Multi-Region Keys
Scenario: Application encrypts data in us-east-1; need to decrypt in eu-west-1 for DR.
Solution:
- Create multi-region primary key in us-east-1
- Create replica in eu-west-1
- Replicate encrypted S3 data to eu-west-1
- DR application can decrypt using regional replica
- Same key ID works in both regions
Best Practices
Key Management Best Practices
-
Use aliases for key abstraction
- Reference keys by alias, not key ID
- Easier rotation and key replacement
- Example:
alias/production-data-key
-
Enable automatic rotation for customer managed keys
- Set appropriate rotation period (365 days default)
- KMS handles rotation transparently
- Old data remains decryptable
-
Use separate keys per environment/application
- Production vs development keys
- Blast radius reduction
- Independent key policies
-
Implement least privilege in key policies
- Grant only required actions
- Use conditions for additional control
- Separate encrypt and decrypt permissions when possible
Security Best Practices
-
Enable CloudTrail logging for all KMS operations
- Track who used keys and when
- Detect unauthorized access attempts
- Required for compliance
-
Use grants for temporary permissions
- Avoid modifying key policies frequently
- Time-limited access
- Easy to revoke
-
Set key deletion waiting period to maximum (30 days)
- Recovery time if accidental deletion
- Review pending deletions regularly
-
Monitor with CloudWatch
- Set alarms for unusual API activity
- Track ThrottlingException errors
- Monitor key state changes
Cost Optimization
-
Use AWS managed keys when possible
- No monthly key fee
- Suitable for most use cases
-
Consider data key caching for high volume
- Reduces GenerateDataKey calls
- Use AWS Encryption SDK
-
Clean up unused keys
- Disabled keys still incur charges
- Schedule deletion for unneeded keys
Common Exam Scenarios
Exam Scenarios
| Scenario | Solution | Why |
|---|---|---|
| S3 data must be encrypted with company-controlled keys | Customer managed KMS key with SSE-KMS | Full control and audit |
| Share encrypted snapshots cross-account | Add external account to key policy | Key policy required for cross-account |
| Encrypt data larger than 4 KB | Envelope encryption with data keys | Direct KMS limited to 4 KB |
| Need same key in multiple regions | Multi-region keys | Single key replicated |
| Temporary KMS access for EC2 | Create KMS grant | No key policy modification needed |
| Track who decrypted S3 objects | CloudTrail + KMS key logging | All KMS calls logged |
| Comply with key rotation requirements | Enable automatic rotation | Transparent rotation every 365 days |
| Application references key by name | Use key alias | Abstraction layer for key ID |
Common Pitfalls
Pitfall 1: Key Policy Missing IAM Statement
Mistake: Creating key policy without "Enable IAM policies" statement.
Why it fails: IAM policies have no effect on the key
Correct Approach: Include root account statement to enable IAM integration
Pitfall 2: Cross-Account Access Without Key Policy
Mistake: Trying to use KMS key from another account with only IAM permissions.
Why it fails: Key policy is required for external account access
Correct Approach: Add external account principal to key policy AND grant IAM permissions
Pitfall 3: Assuming All Keys Support Rotation
Mistake: Enabling automatic rotation on imported key material.
Why it fails: Imported keys don't support automatic rotation
Correct Approach: Use manual rotation or use KMS-generated key material
Pitfall 4: Deleting Key with Encrypted Data
Mistake: Immediately deleting KMS key with associated encrypted data.
Why it fails: Data becomes permanently unrecoverable
Correct Approach: Set 30-day waiting period; verify no dependent resources
Pitfall 5: Single Region Key for Multi-Region Data
Mistake: Using single-region key for data that needs cross-region access.
Why it fails: Cross-region data cannot be decrypted
Correct Approach: Use multi-region keys for cross-region scenarios
Related Services
Quick Reference
KMS Limits
KMS Limits
| Resource | Default Limit |
|---|---|
| KMS keys per region | 100,000 |
| Aliases per KMS key | 50 |
| Grants per KMS key | 50,000 |
| Key policy size | 32 KB |
| Direct encryption size | 4 KB |
| Cryptographic operations | 5,500-30,000/sec (varies by key type) |
KMS Pricing
KMS Pricing
| Component | Cost |
|---|---|
| Customer managed keys | $1/month |
| AWS managed keys | FREE |
| Symmetric cryptographic operations | $0.03 per 10,000 requests |
| Asymmetric operations (RSA) | $0.03-$0.15 per 10,000 |
| Multi-region key replica | $1/month per replica |
Key Alias Format
Alias Format: alias/key-name
Examples:
├── alias/aws/s3 (AWS managed - cannot create)
├── alias/my-app-key (Customer managed)
├── alias/production/db (Hierarchical naming)
└── alias/mrk-replica (Multi-region)
Rules:
├── Must start with alias/
├── Cannot start with alias/aws/ (reserved)
├── Unique within account and region
└── Can point to only one keyCLI Commands
# Create customer managed key
aws kms create-key \
--description "My application key" \
--key-usage ENCRYPT_DECRYPT \
--key-spec SYMMETRIC_DEFAULT
# Create alias
aws kms create-alias \
--alias-name alias/my-app-key \
--target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab
# Enable key rotation
aws kms enable-key-rotation \
--key-id alias/my-app-key
# Encrypt data (< 4 KB)
aws kms encrypt \
--key-id alias/my-app-key \
--plaintext fileb://data.txt \
--output text --query CiphertextBlob | base64 --decode > encrypted.bin
# Generate data key (for envelope encryption)
aws kms generate-data-key \
--key-id alias/my-app-key \
--key-spec AES_256Test Your Knowledge
A company needs to share encrypted EBS snapshots with a partner account. What is required for the partner to decrypt the snapshots?
What is the maximum size of data that can be encrypted directly with a KMS key?
A company requires the same encryption key to be used in us-east-1 and eu-west-1 for disaster recovery. What is the best solution?
Which KMS key type allows you to customize the key policy?