Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon KMS keys

The KMS keys that you create and manage for use in your own cryptographic applications are of a type known as customer managed keys. Customer managed keys can also be used in conjunction with Amazon services that use KMS keys to encrypt the data the service stores on your behalf. Customer managed keys are recommended for customers who want full control over the lifecycle and usage of their keys. There is a monthly cost to have a customer managed key in your account. In addition, requests use and/or manage the key incur a usage cost. See Amazon KMS Pricing for more details.

There are cases where a customer might want an Amazon service to encrypt their data, but they don’t want the overhead of managing keys and don’t want to pay for a key. An Amazon managed key is a KMS key that exists in your account, but can only be used under certain circumstances. Specifically, it can only be used in the context of the Amazon service you’re operating in and it can only be used by principals within the account that the key exists. You cannot manage anything about the lifecycle or permissions of these keys. As you use encryption features in Amazon services, you may see Amazon managed keys; they use an alias of the form “aws<service code>”. For example, an aws/ebs key can only be used to encrypt EBS volumes and only for volumes used by IAM principals in the same account as the key. Think of an Amazon managed key that is scoped down for use only by users in your account for resources in your account. You cannot share resources encrypted under an Amazon managed key with other accounts. While an Amazon managed key is free to exist in your account, you are charged for any use of this key type by the Amazon service that is assigned to the key.

Amazon managed keys are a legacy key type that is no longer being created for new Amazon services as of 2021. Instead, new (and legacy) Amazon services are using what’s known as an Amazon owned key to encrypt customer data by default. An Amazon owned key is a KMS key that is in an account managed by the Amazon service, so the service operators have the ability to manage its lifecycle and usage permissions. By using Amazon owned keys, Amazon services can transparently encrypt your data and allow for easy cross-account or cross-region sharing of data without you needing to worry about key permissions. Use Amazon owned keys for encryption-by-default workloads that provide easier, more automated data protection. Because these keys are owned and managed by Amazon, you are not charged for their existence or their usage, you cannot change their policies, you cannot audit activities on these keys, and you cannot delete them. Use customer managed keys when control is important, but use Amazon owned keys when convenience is most important.

The KMS keys that you create are customer managed keys. Amazon Web Services services that use KMS keys to encrypt your service resources often create keys for you. KMS keys that Amazon Web Services services create in your Amazon account are Amazon managed keys. KMS keys that Amazon Web Services services create in a service account are Amazon owned keys.

Amazon services that integrate with Amazon KMS differ in their support for KMS keys. Some Amazon services encrypt your data by default with an Amazon owned key or an Amazon managed key. Some Amazon services support customer managed keys. Other Amazon services support all types of KMS keys to allow you the ease of an Amazon owned key, the visibility of an Amazon managed key, or the control of a customer managed key. For detailed information about the encryption options that an Amazon service offers, see the Encryption at Rest topic in the user guide or the developer guide for the service.

Customer managed keys

The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your Amazon Web Services account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.

Customer managed keys appear on the Customer managed keys page of the Amazon Web Services Management Console for Amazon KMS. To definitively identify a customer managed key, use the DescribeKey operation. For customer managed keys, the value of the KeyManager field of the DescribeKey response is CUSTOMER.

You can use your customer managed key in cryptographic operations and audit usage in Amazon CloudTrail logs. In addition, many Amazon services that integrate with Amazon KMS let you specify a customer managed key to protect the data stored and managed for you.

Customer managed keys incur a monthly fee and a fee for use in excess of the free tier. They are counted against the Amazon KMS quotas for your account. For details, see Amazon Key Management Service Pricing and Quotas.

Amazon managed keys

Amazon managed keys are KMS keys in your account that are created, managed, and used on your behalf by an Amazon service integrated with Amazon KMS.

Some Amazon services let you choose an Amazon managed key or a customer managed key to protect your resources in that service. In general, unless you are required to control the encryption key that protects your resources, an Amazon managed key is a good choice. You don't have to create or maintain the key or its key policy, and there's never a monthly fee for an Amazon managed key.

You have permission to view the Amazon managed keys in your account, view their key policies, and audit their use in Amazon CloudTrail logs. However, you cannot change any properties of Amazon managed keys, rotate them, change their key policies, or schedule them for deletion. And, you cannot use Amazon managed keys in cryptographic operations directly; the service that creates them uses them on your behalf.

Amazon managed keys appear on the Amazon managed keys page of the Amazon Web Services Management Console for Amazon KMS. You can also identify Amazon managed keys by their aliases, which have the format aws/service-name, such as aws/redshift. To definitively identify an Amazon managed keys, use the DescribeKey operation. For Amazon managed keys, the value of the KeyManager field of the DescribeKey response is Amazon.

All Amazon managed keys are automatically rotated every year. You cannot change this rotation schedule.

There is no monthly fee for Amazon managed keys. They can be subject to fees for use in excess of the free tier, but some Amazon services cover these costs for you. For details, see the Encryption at Rest topic in the user guide or developer guide for the service. For details, see Amazon Key Management Service Pricing.

Amazon managed keys do not count against resource quotas on the number of KMS keys in each Region of your account. But when used on behalf of a principal in your account, the KMS keys count against request quotas. For details, see Quotas.

Amazon owned keys

Amazon owned keys are a collection of KMS keys that an Amazon service owns and manages for use in multiple Amazon Web Services accounts. Although Amazon owned keys are not in your Amazon Web Services account, an Amazon service can use an Amazon owned key to protect the resources in your account.

Some Amazon services let you choose an Amazon owned key or a customer managed key. In general, unless you are required to audit or control the encryption key that protects your resources, an Amazon owned key is a good choice. Amazon owned keys are completely free of charge (no monthly fees or usage fees), they do not count against the Amazon KMS quotas for your account, and they're easy to use. You don't need to create or maintain the key or its key policy.

The rotation of Amazon owned keys varies across services. For information about the rotation of a particular Amazon owned key, see the Encryption at Rest topic in the user guide or developer guide for the service.

Amazon KMS key hierarchy

Your key hierarchy starts with a top-level logical key, an Amazon KMS key. A KMS key represents a container for top-level key material and is uniquely defined within the Amazon service namespace with an Amazon Resource Name (ARN). The ARN includes a uniquely generated key identifier, a key ID. A KMS key is created based on a user-initiated request through Amazon KMS. Upon reception, Amazon KMS requests the creation of an initial HSM backing key (HBK) to be placed into the KMS key container. The HBK is generated on an HSM in the domain and is designed never to be exported from the HSM in plaintext. Instead, the HBK is exported encrypted under HSM-managed domain keys. These exported HBKs are referred to as exported key tokens (EKTs).

The EKT is exported to a highly durable, low-latency storage. For example, suppose you receive an ARN to the logical KMS key. This represents the top of a key hierarchy, or cryptographic context, for you. You can create multiple KMS keys within your account and set policies on your KMS keys like any other Amazon named resource.

Within the hierarchy of a specific KMS key, the HBK can be thought of as a version of the KMS key. When you want to rotate the KMS key through Amazon KMS, a new HBK is created and associated with the KMS key as the active HBK for the KMS key. The older HBKs are preserved and can be used to decrypt and verify previously protected data. But only the active cryptographic key can be used to protect new information.

You can make requests through Amazon KMS to use your KMS keys to directly protect information or request additional HSM-generated keys that are protected under your KMS key. These keys are called customer data keys, or CDKs. CDKs can be returned encrypted as ciphertext (CT), in plaintext, or both. All objects encrypted under a KMS key (either customer-supplied data or HSM-generated keys) can be decrypted only on an HSM via a call through Amazon KMS.

The returned ciphertext, or the decrypted payload, is never stored within Amazon KMS. The information is returned to you over your TLS connection to Amazon KMS. This also applies to calls made by Amazon services on your behalf.

The key hierarchy and the specific key properties appear in the following table.

¹ Amazon KMS might from time to time relax domain key rotation to at most weekly to account for domain administration and configuration tasks.

² Default Amazon managed keys created and managed by Amazon KMS on your behalf are automatically rotated annually.

Key identifiers (KeyId)

Key identifiers act like names for your KMS keys. They help you to recognize your KMS keys in the console. You use them to indicate which KMS keys you want to use in Amazon KMS API operations, key policies, IAM policies, and grants. The key identifier values are completely unrelated to the key material associated with the KMS key.

Amazon KMS defines several key identifiers. When you create a KMS key, Amazon KMS generates a key ARN and key ID, which are properties of the KMS key. When you create an alias, Amazon KMS generates an alias ARN based on the alias name that you define. You can view the key and alias identifiers in the Amazon Web Services Management Console and in the Amazon KMS API.

In the Amazon KMS console, you can view and filter KMS keys by their key ARN, key ID, or alias name, and sort by key ID and alias name. For help finding the key identifiers in the console, see Find the key ID and key ARN.

In the Amazon KMS API, the parameters you use to identify a KMS key are named KeyId or a variation, such as TargetKeyId or DestinationKeyId. However, the values of those parameters are not limited to key IDs. Some can take any valid key identifier. For information about the values for each parameter, see the parameter description in the Amazon Key Management Service API Reference.

Amazon KMS supports the following key identifiers.