Accessing Amazon Key Management Service - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Accessing Amazon Key Management Service

You can work with Amazon KMS in the following ways:

Amazon Web Services Management Console

The console is a web-based user interface for managing Amazon KMS and Amazon resources. If you've signed up for an Amazon Web Services account, you can access the Amazon KMS console by signing into the Amazon Web Services Management Console and choosing Amazon KMS from the Amazon Web Services Management Console home page.

Permissions required to use the Amazon KMS console

To work with the Amazon KMS console, users must have a minimum set of permissions that allow them to work with the Amazon KMS resources in their Amazon Web Services account. In addition to these Amazon KMS permissions, users must also have permissions to list IAM users and IAM roles. If you create an IAM policy that is more restrictive than the minimum required permissions, the Amazon KMS console won't function as intended for users with that IAM policy.

For the minimum permissions required to allow a user read-only access to the Amazon KMS console, see Allow a user to view KMS keys in the Amazon KMS console.

To allow users to work with the Amazon KMS console to create and manage KMS keys, attach the AWSKeyManagementServicePowerUser managed policy to the user, as described in Amazon managed policies for Amazon Key Management Service.

You don't need to allow minimum console permissions for users that are working with the Amazon KMS API through the Amazon SDKs, Amazon Command Line Interface, or Amazon Tools for PowerShell. However, you do need to grant these users permission to use the API. For more information, see Permissions reference.

Amazon Command Line Interface

You can use the Amazon CLI tools to issue commands or build scripts at your system's command line to perform Amazon (including Amazon KMS) tasks.

For more information about using Amazon KMS through the Amazon CLI, see the Amazon CLI Command Reference

Amazon KMS REST API

The architecture of Amazon KMS is designed to be programming language-neutral, using Amazon-supported interfaces to store and retrieve objects. You can access S3 and Amazon programmatically by using the Amazon KMS REST API. The REST API is an HTTP interface to Amazon KMS. With the REST API, you use standard HTTP requests to create, fetch, and delete buckets and objects.

For more information on using the Amazon KMS REST API, see the Amazon Key Management Service API Reference

Amazon SDKs

Amazon provides SDKs (software development kits) that consist of libraries and sample code for common programming languages and platforms (Java, JavaScript, C, Python, and so on). The Amazon SDKs provide a convenient way to create programmatic access to Amazon KMS and Amazon. Amazon KMS is a REST service. You can send requests to Amazon KMS using the Amazon SDK libraries, which wrap the underlying Amazon KMS REST API and simplify your programming tasks. For information about the Amazon SDKs, including how to download and install them, see Tools to Build on Amazon.

The Code examples for Amazon KMS using Amazon SDKs provides a good starting point for using Amazon KMS through the Amazon SDKs.

Amazon Encryption SDK

The Amazon Encryption SDK is a tool for implementing client-side encryption in your application. It does not provide full access to KMS, but instead it integrates with Amazon KMS, or can be used as a stand-alone SDK without referencing KMS keys. Libraries are available for Java, JavaScript, C, Python, and other programming languages.

For more information, see the Amazon Encryption SDK Developer Guide.

Amazon KMS key policies and IAM policies

Amazon KMS eventual consistency

The Amazon KMS API follows an eventual consistency model due to the distributed nature of the system. As a result, changes to Amazon KMS resources might not be immediately visible to the subsequent commands you run.

When you perform Amazon KMS API calls, there might be a brief delay before the change is available throughout Amazon KMS. It typically takes less than a few seconds for the change to propagate throughout the system, but in some cases it can take several minutes. You might get unexpected errors, such as a NotFoundException or an InvalidStateException, during this time. For example, Amazon KMS might return a NotFoundException if you call GetParametersForImport immediately after calling CreateKey.

We recommend that you configure a retry strategy on your Amazon KMS clients to automatically retry operations after a brief waiting period. For more information, see Retry behavior in the Amazon SDKs and Tools Reference Guide.

For grant related API calls, you can use a grant token to avoid any potential delay and use the permissions in a grant immediately. For more information, see Eventual consistency (for grants).