AWS KMS: Key Management Service
TL;DR
AWS KMS is a managed encryption key service. It handles the undifferentiated heavy lifting of key management — creation, rotation, storage, and access control. KMS integrates with 100+ AWS services for seamless encryption. You pay $1/month per key + API calls. The catch: throttling limits (10,000 req/s) and key policy complexity. For most use cases, use AWS managed keys (free). For compliance, use customer managed keys (CMK) with CloudTrail audit logs.
What Is It?
KMS is a managed service that makes it easy to create and control encryption keys.
Key Types
| Type | Cost | Use Case |
|---|---|---|
| AWS Managed | Free | Default encryption |
| Customer Managed | $1/month | Compliance, control |
| External | $1/month | Import your own keys |
| Custom Key Store | $1/month + CloudHSM | FIPS 140-2 Level 3 |
Architecture
┌─────────────────────────────────────────────────────────────┐
│ KMS Encryption Flow │
│ │
│ Application │
│ │ │
│ ├──→ KMS GenerateDataKey │
│ │ └── Returns: Plaintext key + Encrypted key │
│ │ │
│ ├──→ Encrypt data with plaintext key │
│ │ │
│ └──→ Store encrypted key + encrypted data │
│ │
│ Plaintext key never stored! │
└─────────────────────────────────────────────────────────────┘
Pricing
| Component | Price |
|---|---|
| Customer managed key | $1/month |
| API requests | $0.03 per 10,000 |
| AWS managed keys | Free |
GCP Alternative: Cloud KMS
| Feature | AWS KMS | GCP Cloud KMS |
|---|---|---|
| Key types | 4 | 3 |
| HSM support | CloudHSM | Cloud HSM |
| Pricing | $1/key | $1/key |
| API pricing | $0.03/10k | $0.03/10k |
| Auto-rotation | 1-365 days | 90 days default |
Real-World Use Cases
Use Case 1: S3 Encryption
import boto3
s3 = boto3.client('s3')
# Server-side encryption with KMS
s3.put_object(
Bucket='my-bucket',
Key='file.txt',
Body=data,
ServerSideEncryption='aws:kms',
SSEKMSKeyId='alias/my-key'
)
Use Case 2: Database Encryption
RDS PostgreSQL
├── Storage encrypted with KMS
├── Automated backups encrypted
└── Read replicas encrypted
The Catch
1. Throttling
- 10,000 requests/second per key
- Use data keys for high volume
- Request quota increase if needed
2. Key Policy Complexity
Every CMK needs a key policy:
- Who can use the key
- Who can administer the key
- Cross-account access rules
3. Deletion Risk
- Keys can be deleted (scheduled 7-30 days)
- Deleted key = lost data
- Use key aliases to abstract key IDs
Verdict
Grade: A
Best for:
- Compliance requirements
- Data encryption
- Key lifecycle management
When to use AWS managed keys:
- Standard encryption
- No compliance needs
- Cost-conscious
When to use customer managed keys:
- Compliance (HIPAA, PCI)
- Audit requirements
- Key rotation control
Researcher 🔬 — Staff Software Architect