You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Data encryption is a fundamental pillar of cloud security. AWS Key Management Service (KMS) provides a centralised, managed service for creating, managing, and controlling encryption keys used to protect your data across AWS services.
AWS KMS is a fully managed service that makes it easy to create and manage cryptographic keys used to encrypt data. KMS integrates with dozens of AWS services — including S3, EBS, RDS, Lambda, and Secrets Manager — so you can encrypt your data with a few clicks or lines of code.
KMS handles the complexity of key management: key creation, rotation, access control, and auditing — all in a secure, FIPS 140-2 validated environment.
A KMS key (formerly called a Customer Master Key or CMK) is the primary resource in KMS. It is a logical representation of a cryptographic key. KMS keys never leave the KMS service unencrypted — you interact with them through API calls.
There are three types of KMS keys:
| Type | Created By | Managed By | Use Case |
|---|---|---|---|
| AWS managed keys | AWS | AWS | Default encryption for AWS services (e.g., aws/s3, aws/ebs) |
| Customer managed keys | You | You | Full control over key policy, rotation, and lifecycle |
| AWS owned keys | AWS | AWS | Used internally by AWS services — you do not see or manage them |
KMS also generates data keys — plaintext encryption keys used to encrypt your actual data. This is called envelope encryption:
To decrypt, you send the encrypted data key back to KMS, which returns the plaintext data key. You then use it to decrypt your data.
This approach means KMS never needs to handle your actual data — it only manages the keys.
Envelope encryption is the standard pattern for encrypting data with KMS. Here is the flow:
┌─────────────┐ GenerateDataKey ┌─────────┐
│ Your App │ ─────────────────────────→│ KMS │
│ │ ←─────────────────────────│ │
│ │ Plaintext Key + └─────────┘
│ │ Encrypted Key
│ │
│ Encrypt data with plaintext key
│ Store encrypted data + encrypted key
│ Discard plaintext key
└─────────────┘
┌─────────────┐ Decrypt(encrypted key) ┌─────────┐
│ Your App │ ──────────────────────────→│ KMS │
│ │ ←──────────────────────────│ │
│ │ Plaintext Key └─────────┘
│ │
│ Decrypt data with plaintext key
│ Discard plaintext key
└─────────────┘
Every KMS key has a key policy — a resource-based policy that controls who can use and manage the key. Without a key policy, nobody can use the key, not even the root user (unlike most AWS resources where the root user has implicit access).
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.