AWS: Encryption and KMS

  • Encryption on any system requires three components:
  1. Data to encrypt

2. A method to encrypt data using a cryptographic algorithm (Ex: AES) and

3. Encryption keys to be used

  • Choosing the right algorithm involves evaluating security, performance, and compliance requirements specific to your application.
  • Although the selection of an encryption algorithm is important, protecting the keys from unauthorized access is critical.
  • Managing the security of encryption keys is often performed using a key management infrastructure (KMI)
  • A KMI is composed of two subcomponents:
  1. The storage layer that protects the plaintext keys and
  2. The management layer that authorizes key usage

A common way to protect in a KMI is to use a hardware security model.

An HSM is a dedicated storage and data processing device that performs cryptographic operations using keys on the device.

  • An HSM typically provides tamper evidence, or resistance, to protect keys from unauthorized
  • A software-based authorization layer controls who can administer the HSM and which users or applications can use which keys in the HSM.

AWS CloudHSM provides FIPS 140–2 Level 3 validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPC) to store and use your keys.

  • FIPS (Federal information processing Standards) are a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within nonmilitary government agencies and by government contractors and vendors who work with the agencies.

When you use AWS Cloud HSM

  • You have exclusive control over how your keys are used via an authentication mechanism independent from AWS.
  • You interact with keys in your AWS CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2.
  • You can use the AWS Cloud HSM cluster similar to the way you interact with your applications running in Amazon EC2.
  • You can use AWS Cloud HSM to support a variety of use cases, such as

Digital Rights Management

Public Key Infrastructure

Document signing and

Cryptographic functions


AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

The master keys that you create in AWS KMS are protected by FIPS 140–2 validated cryptographic modules (HSM).

AWS KMS is integrated with most other AWS services that encrypt your data with encryption keys that you manage.

AWS KMS is integrated with AWS CloudTrail

  • By using CloudTrail you can monitor and investigate how and when your master keys have been used and by whom.
  • This will provide encryption key usage logs to help meet your auditing, regulatory and compliance needs.

By using AWS KMS, you gain more control over access to data you encrypt.

You can use the key management and cryptographic features directly in your applications or through AWS services that are integrated with AWS KMS.

Whether you are writing applications for AWS or using AWS services,

  • AWS KMS enables you to maintain control over who can use your master keys and gain access to your encrypted data.

KMS is a global service

  • Keys are regional
  • AWS KMS Keys are never transmitted outside of the AWS regions in which they were created.

KMS Durability and High Availability

AWS KMS stores multiple copies of an encrypted version of your keys in systems that are designed for 99.999999999% durability to help assure you that your keys will be available when you need to access them.

AWS KMS deployed in multiple availability zones within an AWS region to provide high availability for your encryption keys.

If you import keys into KMS, you must securely maintain a copy of your keys so that you can reimport them at any time.

The master keys created on your behalf by AWS KMS or imported by you cannot be exported from the service.

AWS KMS: Customer Master Keys

The Primary resources in AWS KMS are customer master keys (CMKs)

  • You can use a CMK to encrypt and decrypt up to 4 Kilobytes.

Typically, you use CMK to generate, encrypt, and decrypt the data keys that you use outside of AWS KMS to encrypt your data. This encryption is known as Envelope encryption.

AWS KMS stores, tracks and protects your CMK’s.

  • When you want to use a CMK, you access through AWS KMS.

AWS KMS helps you to protect your master keys by storing and managing them securely,

  • Master keys stored in AWS KMS, known as customer master keys (CMKs) never leave the AWS KMS FIPS validated hardware security modules unencrypted.
  • To use an AWS KMS CMK, you must call AWS KMS.
  • To use an AWS KMS CMK, you must call AWS KMS.
  • This strategy differs from data keys that AWS KMS returns to you, optionally in plain text.

There are two types of CMKs in AWS accounts:

Customer Managed CMKs

These are CMKs that you create, manage and use.

  • This includes enabling and disabling the CMK.
  • Rotating its cryptographic material and
  • Establishing the IAM policies and key policies that govern access to the CMK.
  • As well as using the CMK in cryptographic operations.

You can allow an AWS service to use a customer-managed CMK on your behalf, but you retain control of the CMK.

AWS Managed CMKs

These are CMKs in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS.

This CMK is unique to your AWS account and region.

Only the service that created the AWS managed the CMK can use it.

You can recognize AWS managed CMKs because of their aliases have the format aws/service-name, such as aws/redshift.

Typically a service creates its AWS managed CMK in your account when you set up the service or the first time you use the CMK.

  • The AWS services that integrate with AWS KMS can use it in many different ways.

Some services create AWS managed CMKs in your account.

Other services require that you specify a customer-managed CMK that you have created.

Others support both types of CMKs to allow you the ease of an AWS managed CMK or the control of a customer-managed CMK.

AWS KMS- Default Master Key vs CMKs

You have the option of selecting a specific master key to use when you want an AWS service to encrypt data on your behalf.

A Default Master Key (Default CMK) specific to each service is created in your account as a convenience the first time you try to create an encrypted resource.

  • This key is managed by AWS KMS but you can always audit its use in AWS CloudTrail.

AWS will update the policies on default master Keys as needed to enable new features in supported services automatically.

You can alternately create a customer master key in AWS KMS that you can, then you can use it in your own applications or from within a supported AWS service.

AWS does not modify policies on the keys you create.

We are done with encryption and KMS keys. In the next blog, I will start with the AWS Elastic Block Store. Stay connected!

Have a Great Day.


Bharathi is a self driven and purpose-oriented person.The main mission is to create profound change in her career. contact her on