Amazon KMS concepts - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon KMS concepts

Learn the basic terms and concepts used in Amazon Key Management Service (Amazon KMS) and how they work together to help protect your data.

Introduction to Amazon KMS

Amazon Key Management Service (Amazon KMS) provides a web interface to generate and manage cryptographic keys and operates as a cryptographic service provider for protecting data. Amazon KMS offers traditional key management services integrated with Amazon services to provide a consistent view of customers’ keys across Amazon, with centralized management and auditing.

Amazon KMS includes a web interface through the Amazon Web Services Management Console, command line interface, and RESTful API operations to request cryptographic operations of a distributed fleet of FIPS 140-3 validated hardware security modules (HSMs). The Amazon KMS HSM is a multichip standalone hardware cryptographic appliance designed to provide dedicated cryptographic functions to meet the security and scalability requirements of Amazon KMS. You can establish your own HSM-based cryptographic hierarchy under keys that you manage as Amazon KMS keys. These keys are made available only on the HSMs and only in memory for the necessary time needed to process your cryptographic request. You can create multiple KMS keys, each represented by its key ID. Only under Amazon IAM roles and accounts administered by each customer can customer managed KMS keys be created, deleted, or used to encrypt, decrypt, sign, or verify data. You can define access controls on who can manage and/or use KMS keys by creating a policy that is attached to the key. Such policies allow you to define application-specific uses for your keys for each API operation.

In addition, most Amazon services support encryption of data at rest using KMS keys. This capability allows customers to control how and when Amazon services can access encrypted data by controlling how and when KMS keys can be accessed.

Amazon KMS architecture.

Amazon KMS is a tiered service consisting of web-facing Amazon KMS hosts and a tier of HSMs. The grouping of these tiered hosts forms the Amazon KMS stack. All requests to Amazon KMS must be made over the Transport Layer Security protocol (TLS) and terminate on an Amazon KMS host. Amazon KMS hosts only allow TLS with a ciphersuite that provides perfect forward secrecy. Amazon KMS authenticates and authorizes your requests using the same credential and policy mechanisms of Amazon Identity and Access Management (IAM) that are available for all other Amazon API operations.

Amazon KMS design goals

Amazon KMS is designed to meet the following requirements.

Durability

The durability of cryptographic keys is designed to equal that of the highest durability services in Amazon. A single cryptographic key can encrypt large volumes of your data that has accumulated over a long time.

Trustworthy

Use of keys is protected by access control policies that you define and manage. There is no mechanism to export plaintext KMS keys. The confidentiality of your cryptographic keys is crucial. Multiple Amazon employees with role-specific access to quorum-based access controls are required to perform administrative actions on the HSMs.

Low-latency and high throughput

Amazon KMS provides cryptographic operations at latency and throughput levels suitable for use by other services in Amazon.

Independent Regions

Amazon provides independent Regions for customers who need to restrict data access in different Regions. Key usage can be isolated within an Amazon Web Services Region.

Secure source of random numbers

Because strong cryptography depends on truly unpredictable random number generation, Amazon KMS provides a high-quality and validated source of random numbers.

Audit

Amazon KMS records the use and management of cryptographic keys in Amazon CloudTrail logs. You can use Amazon CloudTrail logs to inspect use of your cryptographic keys, including the use of keys by Amazon services on your behalf.

To achieve these goals, the Amazon KMS system includes a set of Amazon KMS operators and service host operators (collectively, “operators”) that administer “domains.” A domain is a Regionally defined set of Amazon KMS servers, HSMs, and operators. Each Amazon KMS operator has a hardware token that contains a private and public key pair that is used to authenticate its actions. The HSMs have an additional private and public key pair to establish encryption keys that protect HSM state synchronization.