KMS (Key Management Service)
💡 Definition
AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications.
🔑 Key Concepts
- CMK (Customer Master Key): The primary resource in KMS. It contains the key material used to encrypt and decrypt data.
- Symmetric vs Asymmetric: KMS supports both symmetric keys (same key for encryption/decryption) and asymmetric keys (public/private key pairs).
- Managed Keys vs Customer Managed Keys:
- AWS Managed Keys: Created, managed, and used on your behalf by an AWS service (free to store).
- Customer Managed Keys: You create, manage, and delete them (paid).
- Integration: Seamlessly integrated with most AWS services (e.g., EBS, S3, RDS) to encrypt data at rest.
⚙️ How it Works
- Create Key: Create a CMK in KMS.
- Set Policy: Define who can administer the key and who can use it for encryption/decryption.
- Use Key: Configure an AWS service (like an S3 bucket) to use that key to encrypt data.
🎯 Use Cases
- Data at Rest Encryption: Encrypting data stored in AWS services.
- Key Management: Centralized control over the lifecycle of cryptographic keys.
- Audit & Compliance: Tracking key usage via CloudTrail logs for compliance.
💰 Pricing Model
- Storage: $1/month per Customer Managed Key.
- Requests: Charged per API request (e.g., each time a file is decrypted).
📝 Exam Tips (CLF-C02)
- KMS is for managing encryption keys.
- It is a regional service.
- Used for Data at Rest encryption.
- Integrates with CloudTrail to log key usage (important for auditing).
See Also: * Data at Rest * S3 * EBS