Amazon Key Management Service

Amazon Key Management Service (Amazon KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data. Amazon KMS uses hardware security modules (HSM) to protect and validate your Amazon KMS keys under the FIPS 140-2 Cryptographic Module Validation Program. China (Beijing) and China (Ningxia) Regions do not support the FIPS 140-2 Cryptographic Module Validation Program. Amazon KMS uses OSCCA certified HSMs to protect KMS keys in China Regions.

Amazon KMS integrates with most other Amazon services that encrypt your data. Amazon KMS also integrates with Amazon CloudTrail to log use of your KMS keys for auditing, regulatory, and compliance needs.

You can use the Amazon KMS API to create and manage KMS keys and special features, such as custom key stores, and use KMS keys in cryptographic operations. For detailed information, see the Amazon Key Management Service API Reference.

You can create and manage your Amazon KMS keys:

Create, edit, and view symmetric and asymmetric KMS keys, including HMAC keys.
Control access to your KMS keys by using key policies, IAM policies, and grants. Amazon KMS supports attribute-based access control (ABAC). You can also refine policies by using condition keys.
Create, delete, list, and update aliases, friendly names for your KMS keys. You can also use aliases to control access to your KMS keys.
Tag your KMS keys for identification, automation, and cost tracking. You can also use tags to control access to your KMS keys.
Enable and disable KMS keys.
Enable and disable automatic rotation of the cryptographic material in a KMS key.
Delete KMS keys to complete the key lifecycle.

You can use your KMS keys in cryptographic operations. For examples, see Programming the Amazon KMS API.

Encrypt, decrypt, and re-encrypt data with symmetric or asymmetric KMS keys.
Sign and verify messages with asymmetric KMS keys.
Generate exportable symmetric data keys and asymmetric data key pairs.
Generate and verify HMAC codes.
Derive shared secrets with asymmetric KMS keys.
Generate random numbers suitable for cryptographic applications.

You can use the advanced features of Amazon KMS.

Create multi-Region keys, which act like copies of the same KMS key in different Amazon Web Services Regions.
Import cryptographic material into a KMS key.
Create KMS keys in an Amazon CloudHSM key store backed by your Amazon CloudHSM cluster.
Create KMS keys in an external key store backed by your cryptographic keys outside of Amazon.
Connect directly to Amazon KMS through a private endpoint in your VPC.
Use hybrid post-quantum TLS to provide forward-looking encryption in transit for the data that you send to Amazon KMS.

By using Amazon KMS, you gain more control over access to data you encrypt. You can use the key management and cryptographic features directly in your applications or through Amazon services integrated with Amazon KMS. Whether you write applications for Amazon or use Amazon services, Amazon KMS enables you to maintain control over who can use your Amazon KMS keys and gain access to your encrypted data.

Amazon KMS integrates with Amazon CloudTrail, a service that delivers log files to your designated Amazon S3 bucket. By using CloudTrail you can monitor and investigate how and when your KMS keys have been used and who used them.

Amazon KMS in Amazon Web Services Regions

The Amazon Web Services Regions in which Amazon KMS is supported are listed in Amazon Key Management Service Endpoints and Quotas. If an Amazon KMS feature is not supported in an Amazon Web Services Region that Amazon KMS supports, the regional difference is described in the topic about the feature.

Amazon KMS pricing

As with other Amazon products, using Amazon KMS does not require contracts or minimum purchases. For more information about Amazon KMS pricing, see Amazon Key Management Service Pricing.

Service level agreement

Amazon Key Management Service is backed by a service level agreement that defines our service availability policy.

Learn more

To learn about the terms and concepts used in Amazon KMS, see Amazon KMS Concepts.
For information about the Amazon KMS API, see the Amazon Key Management Service API Reference. For examples in different programming languages, see Programming the Amazon KMS API.
To learn how to use Amazon CloudFormation templates to create and manage keys and aliases, see Creating Amazon KMS resources with Amazon CloudFormation and Amazon Key Management Service resource type reference in the Amazon CloudFormation User Guide.
For detailed technical information about how Amazon KMS uses cryptography and secures KMS keys, see Amazon Key Management Service Cryptographic Details. The Cryptographic Details documentation does not describe how Amazon KMS works in the China (Beijing) and China (Ningxia) Regions.
For a list of Amazon KMS endpoints, including FIPS endpoints, in each Amazon Web Services Region, see Service endpoints in the Amazon Key Management Service topic of the Amazon Web Services General Reference.
For help with questions about Amazon KMS, see the Amazon Key Management Service Discussion Forum.

Amazon KMS in the Amazon SDKs

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Concepts