KMS creates and manages encryption keys for a variety of AWS services or for your applications.
KMS can be used with CloudTrail to audit keys access history.
KMS has the ability to automatically rotate out your keys every year with no need to re-encryption
Customer masters keys (CMK) are the primary resources in KMS.
KMS is a multi-tenant HSM
Hardware Security Module (HSM) is a specialized hardware for storing your keys and is tamper proof
KMS is up to FIPS 140-2 Level 2 compliant
KMS stores Master Keys (not data keys)
Master keys are used to encrypt data keys which is called Envelope encryption
KMS supports two types of keys, symmetric and asymmetric
Symmetric is a single key using 256 bit encryption
Asymmetric uses to keys
Import KMS APIs to remember:
aws kms create-key | Creates unique customer managed master key (CMK) in your AWS account
aws kms encrypt | Encrypts plaintext into ciphertext by using a customer master key (CMK)
aws kms decrypt | Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK)
aws kms re-encrypt | Decrypts ciphertext and then re-encrypts it within AWS KMS
aws kms enable-key-rotation | Enables automatic rotation of the key material for the specified symmetric customer master key (CMK). You cannot perform this operation on a CMK in a different AWS account.