Security, Identity & Compliance | AWS Key Management Service

Question 1

What is AWS Key Management Service (KMS)?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 1

AWS KMS is a managed encryption service that enables you to easily encrypt your data. AWS KMS provides a highly available key storage, management, and auditing solution for you to encrypt your data across AWS services and within your own applications.

Question 2

Why should I use AWS KMS?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 2

If you are a developer who needs to encrypt data in your applications, you should use the AWS SDKs with AWS KMS support to easily use and protect encryption keys. If you’re an IT administrator looking for a scalable key management infrastructure to support your developers and their growing number of applications, you should use AWS KMS to reduce your licensing costs and operational burden. If you’re responsible for proving data security for regulatory or compliance purposes, you should use AWS KMS to verify that data is encrypted consistently across the applications where it is used and stored.

Question 3

How do I get started with AWS KMS?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 3

The easiest way is to get started using AWS KMS is to check the box to encrypt your data within supported AWS services and use the default keys that are created in your account for each service. If you want further controls over the management of these keys, you can create keys in AWS KMS and assign them to be used in the supported AWS services when creating encrypted resources as well as use them directly within your own applications. AWS KMS can be accessed from the “Encryption Keys” section of the AWS Identity and Access Management (IAM) console for web-based access, and the AWS KMS Command Line Interface or AWS Software Development Kit for programmatic access. Visit the Getting Started page to learn more.

Question 4

In what Regions is KMS available?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 4

Availability is listed on our global Products and Services by Region page.

Question 5

What key management features are available in AWS KMS?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 5

You can perform the following key management functions in AWS KMS:

Create keys with a unique alias and description

Import your own keys

Define which IAM users and roles can manage keys

Define which IAM users and roles can use keys to encrypt and decrypt data

Choose to have AWS KMS automatically rotate your keys on an annual basis

Temporarily disable keys so they cannot be used by anyone

Re-enable disabled keys

Delete keys that you no longer use

Audit use of keys by inspecting logs in AWS CloudTrail

Question 6

How does AWS KMS work?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 6

AWS KMS allows you to centrally manage and securely store your keys. You can generate keys in KMS or import them from your key management infrastructure. These keys can be used from within your applications and supported AWS services to protect your data, but the key never leaves KMS AWS. You submit data to AWS KMS to be encrypted, or decrypted, under keys that you control. You set usage policies on these keys that determine which users can use them to encrypt and decrypt data. All requests to use these keys are logged in AWS CloudTrail so you can understand who used which key when.

Question 7

Where is my data encrypted if I use AWS KMS?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 7

You can use AWS KMS to help encrypt data locally in your own applications or have it encrypted within a supported AWS service. You can use an AWS SDK with AWS KMS support to do the encryption wherever your applications run. You can also request a supported AWS service to encrypt your data as it is being stored. AWS CloudTrail provides access logs to allow you to audit how your keys were used in either situation.

Question 8

Which AWS cloud services are integrated with AWS KMS?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 8

AWS Key Management Service is seamlessly integrated with several other AWS services to make encrypting data in those services as easy as checking a box and selecting the master key you want to use. See the Product Details page for the list of AWS services currently integrated with KMS. All use of your keys within integrated services appears in AWS CloudTrail logs. See the AWS KMS Developer’s Guide for more information on how integrated services use AWS KMS.

Question 9

How do AWS cloud services use my keys to encrypt data?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 9

AWS cloud services integrated with AWS KMS use a method called envelope encryption to protect your data. Envelope encryption is an optimized method for encrypting data that uses two different keys. A data key is generated and used by the AWS service to encrypt each piece of data or resource. The data key is encrypted under a master key that you define in AWS KMS. The encrypted data key is then stored by the AWS service. When you need your data decrypted by the AWS service, the encrypted data key is passed to AWS KMS and decrypted under the master key that was originally encrypted under so the service can then decrypt your data.

Question 10

Why use envelope encryption? Why not just send data to AWS KMS to encrypt directly?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 10

While AWS KMS does support sending data less than 4 KB to be encrypted, envelope encryption can offer significant performance benefits. When you encrypt data directly with KMS it must be transferred over the network. Envelope encryption reduces the network load for your application or AWS cloud service. Only the request and fulfillment of the data key through KMS must go over the network. Since the data key is always stored in encrypted form, it is easy and safe to distribute that key where you need it to go without worrying about it being exposed. Encrypted data keys are sent to AWS KMS and decrypted under master keys to ultimately allow you to decrypt your data. The data key is available directly in your application without having to send the entire block of data to AWS KMS and suffer network latency.

Question 11

What’s the difference between a key I create vs. default master keys created for me for use within AWS cloud services?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 11

You have the option of selecting a specific master key to use when you want an AWS service to encrypt data on your behalf. A default master key specific to each service is created in your account as a convenience the first time you try to create an encrypted resource. This key is managed by AWS KMS but you can always audit its use in AWS CloudTrail. You can alternately create a customer master key in AWS KMS that you can then use in your own applications or from within a supported AWS service. AWS will update the policies on default master keys as needed to enable new features in supported services automatically. AWS does not modify policies on keys you create.

Question 12

Why should I create a customer master key?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 12

Creating a key in AWS KMS gives you more control than you have with default service master keys. When you create a customer master key, you can choose to use key material generated by KMS on your behalf or import your own key material, define an alias, a description, and opt-in to have the key automatically rotated once per year if it backed by key material generated by KMS. You also can define permissions on the key to control who can use and manage the key. Management and usage activity related to the key is available for audit in AWS CloudTrail.

Question 13

Can I import keys into KMS?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 13

Yes. You can import a copy of your key from your own key management infrastructure to KMS and use it with any integrated AWS service or from within your own applications.

Question 14

When would I use an imported key?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 14

You can use an imported key to get greater control over the creation, lifecycle management, and durability of your key in KMS. Imported keys are designed to help you meet your compliance requirements which may include the ability to generate or maintain a secure copy of the key in your infrastructure, and the ability to delete the imported copy of the key on demand from AWS infrastructure once you no longer need the key.

Question 15

What type of keys can I import?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 15

You can import 256-bit symmetric keys.

Question 16

How is the key that I import into KMS protected in transit?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 16

During the import, your key must be wrapped by a KMS-provided public key using one of the two RSA PKCS#1 schemes. This ensures that your encrypted key can only be decrypted by KMS.

Question 17

What’s the difference between a key I import vs. a key generated for me by KMS?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 17

There are two main differences between a key that you import vs. a key created for you by KMS:

You must securely maintain a copy of your imported keys in your key management infrastructure so that you can re-import them at any time. AWS ensures the availability, security, and durability of keys generated by KMS on your behalf until you schedule the keys for deletion.

You may set an expiration period for an imported key to automatically delete the key from KMS after the expiration period. You may also delete an imported key on demand without deleting the underlying customer master key. Further, you can manually disable or delete a customer master key with an imported key at any time. A key generated by KMS can only be disabled or scheduled for deletion, it cannot have an expiration time placed on it.

Question 18

Can I rotate my keys?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 18

Yes. You can choose to have KMS automatically rotate keys generated by KMS on your behalf every year. Automatic key rotation is not supported for imported keys. If you choose to import keys to KMS, you can manually rotate them whenever you want.

Question 19

Do I have to re-encrypt my data after keys in AWS KMS are rotated?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 19

If you choose to have KMS automatically rotate keys generated by KMS on your behalf, you don’t have to re-encrypt your data. AWS KMS keeps previous versions of keys to use for decryption of data encrypted under an old version of a key. All new encryption requests against a key in AWS KMS are encrypted under the newest version of the key.

If you manually rotate your keys, you may have to re-encrypt your data depending on your application’s configuration.

Question 20

Can I delete a key from AWS KMS?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 20

Yes. You can schedule a customer master key and associated metadata that you created in KMS for deletion, with a configurable waiting period from 7 to 30 days. This waiting period allows you to verify the impact of deleting a key on your applications and users that depend on it. The default waiting period is 30 days. You can cancel the deletion during the waiting period. The key cannot be used if it is scheduled for deletion until you cancel the deletion during the waiting period. The key gets deleted at the end of the configurable waiting period if you don’t cancel the deletion. Once a key gets deleted, you can no longer use it. All data protected under a deleted master key is inaccessible.

For customer master keys with imported key material, you can delete the key material without deleting the customer master key id or metadata in two ways. First, you can delete your imported key material on demand without a waiting period. Second, at the time of importing the key material into the customer master key, you may define an expiration time for how long AWS can use your imported key material before it is deleted. You can re-import your key material into the customer master key if you need to use it again.

Question 21

What should I do if my imported key material has expired or I accidentally deleted it?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 21

You can re-import your copy of the key material with a valid expiration period to KMS under the original customer master key so it can be used.

Question 22

Can I be alerted that I need to re-import the key?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 22

Yes. Once you import your key to a customer master key, you will receive an Amazon CloudWatch Metric every few minutes that counts down the time to expiration of the imported key. You will also receive an Amazon CloudWatch Event once the imported key under your customer master key expires. You can build logic that acts on these metrics or events and automatically re-imports the key with a new expiration period to avoid an availability risk.

Question 23

Can I use AWS KMS to help manage encryption of data outside of AWS cloud services?

General

AWS Key Management Service | Security, Identity & Compliance

Answer 23

Yes. AWS KMS is supported in AWS SDKs, AWS Encryption SDK, and the Amazon S3 Encryption Client to facilitate encryption of data within your own applications wherever they run. AWS SDK in the Java, Ruby, .NET, and PHP platforms support AWS KMS APIs. Visit the Developing on AWS website for more information.

Question 24

Is there a limit to the number of keys I can create in AWS KMS?

Billing

AWS Key Management Service | Security, Identity & Compliance

Answer 24

You can create up to 1000 customer master keys per account per region. As both enabled and disabled customer master keys count towards the limit, we recommend deleting disabled keys that you no longer use. Default master keys created on your behalf for use within supported AWS services do not count against this limit. There is no limit to the number of data keys that can be derived using a master key and used in your application or by AWS services to encrypt data on your behalf. You may request a limit increase for customer master keys by visiting the AWS Support Center.

Question 25

How will I be charged and billed for my use of AWS KMS?

Billing

AWS Key Management Service | Security, Identity & Compliance

Answer 25

With AWS KMS, you pay only for what you use, there is no minimum fee. There are no set-up fees or commitments to begin using the service. At the end of the month, your credit card will automatically be charged for that month’s usage.

You are charged for all customer master keys you create, and for API requests made to the service each month above a free tier.

For current pricing information, please visit the AWS KMS pricing page.

Question 26

Is there a free tier?

Billing

AWS Key Management Service | Security, Identity & Compliance

Answer 26

Yes. With the AWS Free Usage Tier you can get started with AWS KMS for free in all regions. Default master keys created on your behalf are free to store in your account. There is a free tier for usage as well that provides a free number of requests to AWS KMS each month. For current information on pricing, including the free tier, please visit the AWS KMS pricing page.

Question 27

Do your prices include taxes?

Security

AWS Key Management Service | Security, Identity & Compliance

Answer 27

Except as otherwise noted, our prices are exclusive of applicable taxes and duties, including VAT and applicable sales tax. For customers with a Japanese billing address, use of AWS services is subject to Japanese Consumption Tax. You can learn more here.

Question 28

Who can use and manage my keys in AWS KMS?

Security

AWS Key Management Service | Security, Identity & Compliance

Answer 28

AWS KMS enforces usage and management policies that you define. You choose to allow AWS Identity and Access Management (IAM) users and roles from your account or other accounts to use and manage your keys.

Question 29

Can AWS employees access my keys in AWS KMS?

Security

AWS Key Management Service | Security, Identity & Compliance

Answer 29

AWS KMS is designed so that no one has access to your master keys. The service is built on systems that are designed to protect your master keys with extensive hardening techniques such as never storing plaintext master keys on disk, not persisting them in memory, and limiting which systems can connect to the device. All access to update software on the service is controlled by a multi-level approval process that is audited and reviewed by an independent group within Amazon.

More details about these security controls can be found in the AWS KMS Cryptographic Details whitepaper. In addition, you can request a copy of the Service Organization Controls (SOC) report available from AWS Compliance to learn more about security controls AWS uses to protect your data and master keys.

Question 30

Can I use KMS to help me comply with the encryption and key management requirements in the Payment Card Industry Data Security Standard (PCI DSS 3.1)?

Security

AWS Key Management Service | Security, Identity & Compliance

Answer 30

Yes. KMS has been validated as having the functionality and security controls to help you meet the encryption and key management requirements (primarily referenced in sections 3.5 and 3.6 of the PCI DSS 3.1).

For more details on PCI DSS compliant services in AWS, you can read the PCI DSS FAQs.

Question 31

How does AWS KMS secure the data keys I export and use in my application?

Security

AWS Key Management Service | Security, Identity & Compliance

Answer 31

You can request that AWS KMS generate data keys that can be returned for use in your own application. The data keys are encrypted under a master key you define in AWS KMS so that you can safely store the encrypted data key along with your encrypted data. Your encrypted data key (and therefore your source data) can only be decrypted by users with permissions to use the original master key used in encrypting the data key.

Question 32

What length of keys does AWS KMS generate?

Security

AWS Key Management Service | Security, Identity & Compliance

Answer 32

Master keys in AWS KMS are 256-bits in length. Data keys can be generated at 128-bit or 256-bit lengths and encrypted under a master key you define. AWS KMS also provides the ability to generate random data of any length you define suitable for cryptographic use.

Question 33

Can I export a master key from AWS KMS and use it in my own applications?

Security

AWS Key Management Service | Security, Identity & Compliance

Answer 33

No. Master keys are created and used only within AWS KMS to help ensure their security, enable your policies to be consistently enforced, and provide a centralized log of their use.

Question 34

What geographic region are my keys stored in?

Security

AWS Key Management Service | Security, Identity & Compliance

Answer 34

Keys are only stored and used in the region in which they are created. They cannot be transferred to another region. For example; keys created in the EU-Central (Frankfurt) region are only stored and used within the EU-Central (Frankfurt) region.

Question 35

How can I tell who used or changed the configuration of my keys in AWS KMS?

Security

AWS Key Management Service | Security, Identity & Compliance

Answer 35

Logs in AWS CloudTrail will show requests on your master keys, including both management requests (e.g. create, rotate, disable, policy edits) and cryptographic requests (e.g. encrypt/decrypt). Turn on AWS CloudTrail in your account to view these logs.