Amazon Key Management Service - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Key Management Service

Amazon Key Management Service (Amazon KMS) is an Amazon managed service that makes it easy for you to create and control the encryption keys that are used to encrypt your data. The Amazon KMS keys that you create in Amazon KMS are protected by FIPS 140-2 validated hardware security modules (HSM). They never leave Amazon KMS unencrypted. To use or manage your KMS keys, you interact with Amazon KMS.

Why use Amazon KMS?

When you encrypt data, you need to protect your encryption key. If you encrypt your key, you need to protect its encryption key. Eventually, you must protect the highest level encryption key (known as a root key) in the hierarchy that protects your data. That's where Amazon KMS comes in.

Root key protect the data keys that protect your data

Amazon KMS protects your root keys. KMS keys are created, managed, used, and deleted entirely within Amazon KMS. They never leave the service unencrypted. To use or manage your KMS keys, you call Amazon KMS.

Amazon KMS protects your root keys

Additionally, you can create and manage key policies in Amazon KMS, ensuring that only trusted users have access to KMS keys.

Amazon KMS in Amazon Web Services Regions

The Amazon Web Services Regions in which Amazon KMS is supported are listed in Amazon Key Management Service Endpoints and Quotas. If an Amazon KMS feature is not supported in an Amazon Web Services Region that Amazon KMS supports, the regional difference is described in the topic about the feature.

Amazon KMS pricing

As with other Amazon products, using Amazon KMS does not require contracts or minimum purchases. For more information about Amazon KMS pricing, see Amazon Key Management Service Pricing.

Amazon KMS service level agreement

Amazon Key Management Service is backed by a service level agreement that defines our service availability policy.