AWS Key Management Service (KMS) — Beginner-Friendly Notes

Big Picture: What Problem Does KMS Solve?

When you store important data such as files, passwords, database records, or backups, you want that data locked so that hackers can’t read it, AWS employees can’t access it, and only the right people or services can unlock it. This locking mechanism is called encryption. The hardest part of encryption is not locking the data, but protecting the keys that do the locking. AWS Key Management Service (KMS) exists to solve this exact problem by securely managing encryption keys for you.

What Is AWS KMS? (Plain English)

AWS KMS is a managed service that protects encryption keys. It is responsible for creating keys, storing them securely, controlling who can use them, and keeping an audit record of every key usage. KMS does not store your data. Instead, it protects the keys that encrypt and decrypt your data, while the data itself remains in services like S3, EBS, or RDS.

Where Does KMS Live?

Regional Service

KMS is a regional service, meaning each AWS Region has its own independent KMS. Keys do not cross regions by default. For example, a key created in us-east-1 cannot decrypt data in eu-west-1.

Public AWS Service

KMS does not run inside your VPC. It is accessed through AWS public endpoints. AWS services communicate with KMS on your behalf, making it secure, highly available, and fully managed.

The Core Concept: KMS Keys

A KMS key is a logical key, which means it is a container or label that you can see in the AWS console and attach permissions to. The actual cryptographic key material is hidden from you and is never exposed.

How Are KMS Keys Protected?

Behind the scenes, KMS stores key material in Hardware Security Modules (HSMs). These are physical, tamper-resistant devices that are validated to FIPS 140-2 Level 2. This ensures that keys cannot be copied, exported, or stolen.

Critical Rule to Remember

KMS keys never leave KMS in plaintext. You can ask KMS to encrypt or decrypt data, but you can never download or directly access the key itself.

Can KMS Encrypt Data Directly?

Yes, but only small amounts of data. KMS can directly encrypt up to 4 KB of data, which is useful for passwords, tokens, and small secrets. Anything larger than 4 KB requires a different approach.

Data Encryption Keys (DEKs) — The Key to Large Data

Encrypting large files directly with KMS would be slow, expensive, and not scalable. To solve this, AWS uses envelope encryption.

Envelope Encryption (Simple View)

Your data is encrypted using a Data Encryption Key (DEK). The DEK itself is then encrypted using a KMS key. In other words, your data is locked by the DEK, and the DEK is locked by the KMS key.

What Is a Data Encryption Key (DEK)?

A DEK is a temporary encryption key created by KMS and used to encrypt large data such as files, objects, or database records. KMS does not store DEKs.

When a DEK is generated, KMS returns two versions:

Plaintext DEK: Used immediately to encrypt data and then discarded
Encrypted DEK: Encrypted using the KMS key and stored alongside the encrypted data

Even if someone steals the encrypted DEK, it is useless without permission to use the KMS key.

How Decryption Works

To decrypt data, the encrypted DEK is sent back to KMS. If the requester is authorized, KMS decrypts the DEK and returns the plaintext version. This plaintext DEK is then used locally to decrypt the data. KMS never sees your data; it only handles keys.

Access Control in KMS

KMS uses two layers of permissions, and both must allow an action.

Key Policy (Mandatory)

The key policy is attached directly to the KMS key and acts like a resource policy. By default, KMS trusts no one. If the key policy does not allow access, the request is denied.

IAM Identity Policy

IAM policies are attached to users or roles and define what actions they can perform. Even if IAM allows an action, it will fail unless the key policy also allows it.

Think of it as:

IAM policy says: “You may”
Key policy says: “I allow you”

Types of KMS Keys

AWS-Owned Keys

These are fully managed by AWS, invisible to you, and used internally by AWS services.

AWS-Managed Keys

These are created automatically by AWS services like S3 or EBS. Key rotation is enabled by default, but you have limited control.

Customer-Managed Keys (Most Important)

These are keys you create and manage. You control permissions, rotation, and cross-account access. These are the keys most commonly tested on exams.

Key Rotation (Simple Explanation)

Key rotation means creating new versions of a key over time. Old versions can still decrypt existing data, while new data is encrypted using the latest version. This happens without requiring you to re-encrypt existing data, making rotation safe and easy when enabled.

Big Picture: What Problem Does KMS Solve?​

What Is AWS KMS? (Plain English)​

Where Does KMS Live?​

Regional Service​

Public AWS Service​

The Core Concept: KMS Keys​

How Are KMS Keys Protected?​

Critical Rule to Remember​

Can KMS Encrypt Data Directly?​

Data Encryption Keys (DEKs) — The Key to Large Data​

Envelope Encryption (Simple View)​

What Is a Data Encryption Key (DEK)?​

How Decryption Works​

Access Control in KMS​

Key Policy (Mandatory)​

IAM Identity Policy​

Types of KMS Keys​

AWS-Owned Keys​

AWS-Managed Keys​

Customer-Managed Keys (Most Important)​

Key Rotation (Simple Explanation)​