Learning AWS Day by Day — Day 62 — AWS Key Management Service

Learning AWS Day by Day — Day 62 — AWS Key Management Service

Exploring AWS !!

Day 62

AWS Key Management Service

Helps create and manage cryptographic keys for your data protection.
KMS uses hardware security modules to protect and validate your keys.
Integrates with other AWS services that encrypt your data.
Integrates with CloudTrail for logging usage of Keys to meet compliance needs.
AWS KMS APIs for creating and managing keys and features like, custom key stores, and use KMS keys in cryptographic operations.

You can create & manage your keys: Create, edit or view the symmetric and asymmetric keys.
Control access to these keys using policies and grants. Supports ABAC (Attribute Based Access Control).
Tags can be attached to your keys for identification purposes, as well as automation and cost tracking.
Enable/Disable keys
Enable/Disable automatic key rotation
Delete keys.

You can use keys for cryptographic operations: Encrypt/Decrypt or re-encrypt keys
Sign and verify messages using asymmetric keys
Generate exportable data keys and key pairs.
Generate random numbers for cryptographic applications.

Advanced features: Create multi region keys
Import cryptographic material in keys
Create KMS keys in CloudHSM key store backed by clusters.
Create KMS keys in external key stores backed by cryptographic keys outside of AWS.
Connect directly through private endpoints

Using AWS KMS you get more control to your data that is encrypted. The key management and cryptographic features can be used directly within your applications. It doesn’t matter whether you write your data in AWS or out of AWS, the KMS keys control who can access your data.
KMS integrate with CloudTrail, which is a log trailing service to audit the usage of keys.

Customer keys Vs AWS keys
Customer managed keys:
Can view KMS key metadata: Yes
Can manage KMS keys: Yes
Used only for AWS account: Yes
Automatic rotation: Optional
Pricing: Monthly fee(pro-rated hourly), per-use fee

AWS managed keys:
Can view KMS key metadata: Yes
Can manage KMS keys: No
Used only for AWS account: Yes
Automatic rotation: Required Every Year
Pricing: No monthly fee, per-use fee

AWS owned keys:
Can view KMS key metadata: No
Can manage KMS keys: No
Used only for AWS account: No
Automatic rotation: Varies
Pricing: No fee