# Accessing Amazon Key Management Service
You can work with Amazon KMS in the following ways:
**Topics**
+ [Amazon Web Services Management Console](#kms-console)
+ [Amazon Command Line Interface](#kms-cli)
+ [Amazon KMS REST API](#kms-api)
+ [Amazon SDKs](#kms-sdk)
+ [Using this service with an Amazon SDK](sdk-general-information-section.md)
+ [Amazon Encryption SDK](#crypto-sdk)
+ [Amazon KMS eventual consistency](#programming-eventual-consistency)
+ [Using hybrid post-quantum TLS with Amazon KMS](pqtls.md)
+ [Connect to Amazon KMS through a VPC endpoint](kms-vpc-endpoint.md)
+ [Dual-stack endpoint support](ipv6-kms.md)
## Amazon Web Services Management Console
The console is a web-based user interface for managing Amazon KMS and Amazon resources. If you've signed up for an Amazon Web Services account, you can access the Amazon KMS console by signing into the Amazon Web Services Management Console and choosing Amazon KMS from the Amazon Web Services Management Console home page.
### Permissions required to use the Amazon KMS console
To work with the Amazon KMS console, users must have a minimum set of permissions that allow them to work with the Amazon KMS resources in their Amazon Web Services account. In addition to these Amazon KMS permissions, users must also have permissions to list IAM users and IAM roles. If you create an IAM policy that is more restrictive than the minimum required permissions, the Amazon KMS console won't function as intended for users with that IAM policy.
For the minimum permissions required to allow a user read-only access to the Amazon KMS console, see [Allow a user to view KMS keys in the Amazon KMS console](customer-managed-policies.md#iam-policy-example-read-only-console).
To allow users to work with the Amazon KMS console to create and manage KMS keys, attach the **AWSKeyManagementServicePowerUser** managed policy to the user, as described in [Amazon managed policies for Amazon Key Management Service](security-iam-awsmanpol.md).
You don't need to allow minimum console permissions for users that are working with the Amazon KMS API through the [Amazon SDKs](http://www.amazonaws.cn/tools/#sdk), [Amazon Command Line Interface](https://docs.amazonaws.cn/cli/latest/userguide/), or [Amazon Tools for PowerShell](https://docs.amazonaws.cn/powershell/latest/userguide/). However, you do need to grant these users permission to use the API. For more information, see [Permissions reference](kms-api-permissions-reference.md).
## Amazon Command Line Interface
You can use the Amazon CLI tools to issue commands or build scripts at your system's command line to perform Amazon (including Amazon KMS) tasks.
For more information about using Amazon KMS through the Amazon CLI, see the [Amazon CLI Command Reference](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/index.html)
## Amazon KMS REST API
The architecture of Amazon KMS is designed to be programming language-neutral. The REST API is an HTTP interface to Amazon KMS. With the REST API, you use standard HTTP requests to create, fetch, and delete keys.
For more information on using the Amazon KMS REST API, see the [Amazon Key Management Service API Reference](https://docs.amazonaws.cn/kms/latest/APIReference/Welcome.html)
## Amazon SDKs
Amazon provides SDKs (software development kits) that consist of libraries and sample code for common programming languages and platforms (Java, JavaScript, C, Python, and so on). The Amazon SDKs provide a convenient way to create programmatic access to Amazon KMS and Amazon. Amazon KMS is a REST service. You can send requests to Amazon KMS using the Amazon SDK libraries, which wrap the underlying Amazon KMS REST API and simplify your programming tasks. For information about the Amazon SDKs, including how to download and install them, see [Tools to Build on Amazon](https://www.amazonaws.cn/developer/tools).
The [Code examples for Amazon KMS using Amazon SDKs](service_code_examples.md) provides a good starting point for using Amazon KMS through the Amazon SDKs.
## Amazon Encryption SDK
The Amazon Encryption SDK is a tool for implementing client-side encryption in your application. It does not provide full access to KMS, but instead it integrates with Amazon KMS, or can be used as a stand-alone SDK without referencing KMS keys. Libraries are available for Java, JavaScript, C, Python, and other programming languages.
For more information, see the [Amazon Encryption SDK Developer Guide](https://docs.amazonaws.cn/encryption-sdk/latest/developer-guide/introduction.html).
Amazon KMS key policies and IAM policies
## Amazon KMS eventual consistency
The Amazon KMS API follows an [eventual consistency](https://en.wikipedia.org/wiki/Eventual_consistency) model due to the distributed nature of the system. As a result, changes to Amazon KMS resources might not be immediately visible to the subsequent commands you run.
When you perform Amazon KMS API calls, there might be a brief delay before the change is available throughout Amazon KMS. It typically takes less than a few seconds for the change to propagate throughout the system, but in some cases it can take several minutes. You might get unexpected errors, such as a `NotFoundException` or an `InvalidStateException`, during this time. For example, Amazon KMS might return a `NotFoundException` if you call `GetParametersForImport` immediately after calling `CreateKey`.
We recommend that you configure a retry strategy on your Amazon KMS clients to automatically retry operations after a brief waiting period. For more information, see [Retry behavior](https://docs.amazonaws.cn/sdkref/latest/guide/feature-retry-behavior.html) in the Amazon SDKs and Tools Reference Guide.
For grant related API calls, you can [use a grant token](using-grant-token.md) to avoid any potential delay and use the permissions in a grant immediately. For more information, see [Eventual consistency (for grants)](grants.md#terms-eventual-consistency).