Connect to Amazon KMS through a VPC endpoint

You can connect directly to Amazon KMS through a private interface endpoint in your virtual private cloud (VPC). When you use an interface VPC endpoint, communication between your VPC and Amazon KMS is conducted entirely within the Amazon network.

Amazon KMS supports Amazon Virtual Private Cloud (Amazon VPC) endpoints powered by Amazon PrivateLink. Each VPC endpoint is represented by one or more Elastic Network Interfaces (ENIs) with private IP addresses in your VPC subnets.

The interface VPC endpoint connects your VPC directly to Amazon KMS without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. The instances in your VPC do not need public IP addresses to communicate with Amazon KMS.

Regions

Amazon KMS supports VPC endpoints and VPC endpoint policies in all Amazon Web Services Regions in which Amazon KMS is supported.

Considerations for Amazon KMS VPC endpoints

Before you set up an interface VPC endpoint for Amazon KMS, review the Interface endpoint properties and limitations topic in the Amazon PrivateLink Guide.

Amazon KMS support for a VPC endpoint includes the following.

You can use your VPC endpoint to call all Amazon KMS API operations from your VPC.
You can create an interface VPC endpoint that connects to an Amazon KMS region endpoint or an Amazon KMS FIPS endpoint.
You can use Amazon CloudTrail logs to audit your use of KMS keys through the VPC endpoint. For details, see Logging Amazon KMS requests that use a VPC endpoint.

Topics

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Configure hybrid post-quantum TLS

Create a VPC endpoint for Amazon KMS