AWS KMS (Key Management Service) is a managed service for creating and controlling encryption keys.
KMS keys are regional by default and cannot be exported in plaintext.
Uses envelope encryption: a data key encrypts your data, and that data key is encrypted with a KMS key.
Two types:
Symmetric keys (default, commonly used, support automatic rotation).
Asymmetric keys (public/private pair, cannot be rotated automatically).
You can:
Create, enable/disable, delete.
Enable automatic rotation (once per year) only for symmetric customer-managed CMKs.
Services like S3, EBS, RDS, Lambda support SSE-KMS (Server-Side Encryption with KMS).
AWS-managed keys (e.g., aws/s3, created automatically by services
Cannot be used directly in cryptographic operations (Encrypt, Decrypt APIs).
Best for convenience, not full control.
For more flexibility, use customer-managed CMKs.
Common API operations:
Typical pattern:
KMS can be used in multi-tenant solutions, but:
Careful architecture is required.
You can isolate tenants by using separate CMKs, resource tags, or fine-grained policies.
At a minimum, be familiar with:
How KMS works and integrates with services.
Difference between AWS-managed and customer-managed keys.
Which keys support rotation.
Basics of envelope encryption.
Common KMS API usage patterns.