Amazon Key Management Service - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Amazon Key Management Service

Amazon Key Management Service (Amazon KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data. Amazon KMS uses hardware security modules (HSM) to protect and validate your Amazon KMS keys under the FIPS 140-2 Cryptographic Module Validation Program, except in the China (Beijing) and China (Ningxia) Regions.

Amazon KMS integrates with most other Amazon services that encrypt your data. Amazon KMS also integrates with Amazon CloudTrail to log use of your KMS keys for auditing, regulatory, and compliance needs.

You can use the Amazon KMS API to create and manage KMS keys and special features, such as custom key stores, and use KMS keys in cryptographic operations. For detailed information, see the Amazon Key Management Service API Reference.

You can create and manage your Amazon KMS keys:

You can use your KMS keys in cryptographic operations. For examples, see Programming the Amazon KMS API.

  • Encrypt, decrypt, and re-encrypt data with symmetric or asymmetric KMS keys.

  • Sign and verify messages with asymmetric KMS keys.

  • Generate exportable symmetric data keys and asymmetric data key pairs.

  • Generate random numbers suitable for cryptographic applications.

You can use the advanced features of Amazon KMS.

By using Amazon KMS, you gain more control over access to data you encrypt. You can use the key management and cryptographic features directly in your applications or through Amazon services integrated with Amazon KMS. Whether you write applications for Amazon or use Amazon services, Amazon KMS enables you to maintain control over who can use your Amazon KMS keys and gain access to your encrypted data.

Amazon KMS integrates with Amazon CloudTrail, a service that delivers log files to your designated Amazon S3 bucket. By using CloudTrail you can monitor and investigate how and when your KMS keys have been used and who used them.

Amazon KMS in Amazon Web Services Regions

The Amazon Web Services Regions in which Amazon KMS is supported are listed in Amazon Key Management Service Endpoints and Quotas. If an Amazon KMS feature is not supported in an Amazon Web Services Region that Amazon KMS supports, the regional difference is described in the topic about the feature.

Amazon KMS pricing

As with other Amazon products, using Amazon KMS does not require contracts or minimum purchases. For more information about Amazon KMS pricing, see Amazon Key Management Service Pricing.

Service level agreement

Amazon Key Management Service is backed by a service level agreement that defines our service availability policy.

Learn more

Amazon KMS in the Amazon SDKs