Accessing Amazon Key Management Service
You can work with Amazon KMS in the following ways:
Amazon Web Services Management Console
The console is a web-based user interface for managing Amazon KMS and Amazon resources. If you've signed up for an Amazon Web Services account, you can access the Amazon KMS console by signing into the Amazon Web Services Management Console and choosing Amazon KMS from the Amazon Web Services Management Console home page.
Permissions required to use the Amazon KMS console
To work with the Amazon KMS console, users must have a minimum set of permissions that allow them to work with the Amazon KMS resources in their Amazon Web Services account. In addition to these Amazon KMS permissions, users must also have permissions to list IAM users and IAM roles. If you create an IAM policy that is more restrictive than the minimum required permissions, the Amazon KMS console won't function as intended for users with that IAM policy.
For the minimum permissions required to allow a user read-only access to the Amazon KMS console, see Allow a user to view KMS keys in the Amazon KMS console.
To allow users to work with the Amazon KMS console to create and manage KMS keys, attach the AWSKeyManagementServicePowerUser managed policy to the user, as described in Amazon managed policies for Amazon Key Management Service.
You don't need to allow minimum console permissions for users that are working with the
Amazon KMS API through the Amazon SDKs
Amazon Command Line Interface
You can use the Amazon CLI tools to issue commands or build scripts at your system's command line to perform Amazon (including Amazon KMS) tasks.
For more information about using Amazon KMS through the Amazon CLI, see the Amazon CLI Command Reference
Amazon KMS REST API
The architecture of Amazon KMS is designed to be programming language-neutral, using Amazon-supported interfaces to store and retrieve objects. You can access S3 and Amazon programmatically by using the Amazon KMS REST API. The REST API is an HTTP interface to Amazon KMS. With the REST API, you use standard HTTP requests to create, fetch, and delete buckets and objects.
For more information on using the Amazon KMS REST API, see the Amazon Key Management Service API Reference
Amazon SDKs
Amazon provides SDKs (software development kits) that consist of libraries and sample code
for common programming languages and platforms (Java, JavaScript, C, Python, and so on). The
Amazon SDKs provide a convenient way to create programmatic access to Amazon KMS and Amazon. Amazon KMS is
a REST service. You can send requests to Amazon KMS using the Amazon SDK libraries,
which wrap the underlying Amazon KMS REST API and simplify your
programming tasks. For information about the Amazon SDKs, including how to
download and install them, see Tools to Build on
Amazon
The Code examples for Amazon KMS using Amazon SDKs provides a good starting point for using Amazon KMS through the Amazon SDKs.
Amazon Encryption SDK
The Amazon Encryption SDK is a tool for implementing client-side encryption in your application. It does not provide full access to KMS, but instead it integrates with Amazon KMS, or can be used as a stand-alone SDK without referencing KMS keys. Libraries are available for Java, JavaScript, C, Python, and other programming languages.
For more information, see the Amazon Encryption SDK Developer Guide.
Amazon KMS key policies and IAM policies
Amazon KMS eventual consistency
The Amazon KMS API follows an eventual consistency
When you perform Amazon KMS API calls, there might be a brief delay before the change is
available throughout Amazon KMS. It typically takes less than a few seconds for the change to
propagate throughout the system, but in some cases it can take several minutes. You might get
unexpected errors, such as a NotFoundException
or an
InvalidStateException
, during this time. For example, Amazon KMS might return a
NotFoundException
if you call GetParametersForImport
immediately after calling CreateKey
.
We recommend that you configure a retry strategy on your Amazon KMS clients to automatically retry operations after a brief waiting period. For more information, see Retry behavior in the Amazon SDKs and Tools Reference Guide.
For grant related API calls, you can use a grant token to avoid any potential delay and use the permissions in a grant immediately. For more information, see Eventual consistency (for grants).