# Key management
<a name="security.encryption.ssl.public-key"></a>

Amazon DocumentDB uses Amazon Key Management Service (Amazon KMS) to retrieve and manage encryption keys. Amazon KMS combines secure, highly available hardware and software to provide a key management system scaled for the cloud. Using Amazon KMS, you can create encryption keys and define the policies that control how these keys can be used. Amazon KMS supports Amazon CloudTrail, so you can audit key usage to verify that keys are being used appropriately. 

Your Amazon KMS keys can be used in combination with Amazon DocumentDB and supported Amazon services such as Amazon Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), Amazon Elastic Block Store (Amazon EBS), and Amazon Redshift. For a list of services that support Amazon KMS, see [How Amazon Services use Amazon KMS](https://docs.amazonaws.cn/kms/latest/developerguide/service-integration.html) in the *Amazon Key Management Service Developer Guide*. For information about Amazon KMS, see [What is Amazon Key Management Service?](https://docs.amazonaws.cn/kms/latest/developerguide/overview.html)