Amazon Key Management Service - Getting Started with Amazon Web Services in China
Region AvailabilityFeature Availability and Implementation DifferencesGuides and ReferencesGeneral Information About Amazon Web Services in China
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Key Management Service

Amazon Key Management Service (Amazon KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of Amazon services and in your applications. Amazon KMS is a secure and resilient service that uses hardware security modules to protect your keys. Amazon KMS is integrated with Amazon CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Region Availability

Amazon Key Management Service is available in the following regions in China:

  • Beijing Region

  • Ningxia Region

Feature Availability and Implementation Differences

The Amazon Web Services in China implementation of Amazon Key Management Service is unique in the following ways:

  • The hardware security modules (HSMs) that Amazon KMS uses to protect KMS keys in the China Regions comply with all pertinent Chinese regulations. Amazon KMS uses OSCCA certified HSMs to protect KMS keys in China Regions. However, KMS HSMs in China Regions have not been validated under the FIPS 140-2 Cryptographic Module Validation Program.

  • To import key material into a symmetric encryption Amazon KMS key in China Regions, the key material must be 128-bits of binary data. Amazon KMS supports the SM2PKE wrapping algorithm in China Regions for wrapping imported RSA, ECC, and SM2 key material.

  • The Custom Key Stores feature is not available in the China Regions.

    The following custom key store management APIs are not supported:

    • ConnectCustomKeyStore

    • CreateCustomKeyStore

    • DeleteCustomKeyStore

    • DescribeCustomKeyStores

    • DisconnectCustomKeyStore

    • UpdateCustomKeyStore

    If you attempt to use these APIs, you will get an UnknownOperationException exception.

  • Amazon services that integrate with Amazon KMS in other Amazon Regions might not be integrated in the China Regions, even if those services are available in the China Regions. To find a list of services that integrate with Amazon KMS in the China Regions, see Amazon Service Integration.

  • The Amazon KMS Cryptographic Details documentation that is discussed in the Amazon Key Management Service Developer Guide does not describe the implementation of Amazon KMS in the China Regions.

  • The Hybrid Post-Quantum TLS feature, which enables you to use hybrid post-quantum TLS key exchange algorithms for your requests to Amazon KMS, is not available in the China Regions.

  • Amazon KMS supports Transport Layer Security (TLS) 1.0—1.3 for endpoints in China Regions.

  • Multi-Region keys are not available in the China Regions. You cannot create multi-Region primary keys or multi-Region replica keys in the aws-cn partition. As a result, the following APIs are not supported:

    • ReplicateKey

    • UpdatePrimaryRegion

Guides and References

Amazon Web Services in China user guides are available in HTML and PDF, in both Chinese and English. API references are available in HTML and PDF. Some API references may be available only in English. Currently, not all API references are available in the Beijing and Ningxia Regions. Links to some API references will take you to the global Amazon Web Services site. Note that some features and functionality described in the guides and references may not be available in the current Amazon Web Services in China release.

General Information About Amazon Web Services in China

The following information applies to all Amazon Web Services that are available in the China Regions.

Amazon Web Services Accounts in the China Regions

To use services in the Beijing and Ningxia Regions, you need an account and credentials specific to each of those Regions.

  • Accounts and credentials for other Amazon Regions will not work for services operating in the Beijing and Ningxia Regions.

  • Accounts and credentials for the Beijing and Ningxia Regions will not work for other Amazon Regions.

  • For more information, see Signup, Accounts, and Credentials.

Domain for Amazon Web Services in China

The domain for Amazon Web Services in China is www.amazonaws.cn.

Endpoints & Amazon Resource Names (ARNs)

For information about endpoints and ARNs in Amazon Web Services in China, see Endpoints and ARNs for Amazon Web Services in China.

Availability Zones for the China Regions

  • In the Beijing Region, there are three Availability Zones.

  • In the Ningxia Region, there are three Availability Zones.

General Information for Amazon Web Services in China

The following applies to all Amazon Web Services that are available in the China Regions. For detailed information about specific Amazon Web Services, see the service-specific topic in this guide.

  • Amazon Identity and Access Management (IAM)

    • You can grant or deny a service access to resources using the Principal policy element.

    • Service principal values vary by Region.

  • EC2-Classic Platform

    • The EC2-Classic platform is not supported.

  • Free Usage Tier

    • The free usage tier is supported in the Ningxia Region.

    • The free usage tier is not supported in the Beijing Region.

Amazon Web Services Console

The console for Amazon Web Services in China is unique to China. The screenshots in the Amazon Web Services guides might differ from what you see on your console. For information about differences in service functionality, see the topics for each service in this guide.

Code Examples

The Amazon Web Services documentation might include endpoints and ARNs in code examples that are not specific to the Beijing and Ningxia Regions. When using examples, verify you are using the endpoints and ARNs for your Region.