Skip to the content.
AWS Developer Associate

AWS KMS (Key Management Service)

KMS - Customer Master Key (CMK) Types

Symmetric (AES-256 keys)

Asymmetric (RSA and ECC key pairs)

KMS - Key Management System

KMS - Key Policies

Cross account copying of snapshots

  1. When we create a snapshot, it will be encrypted with our CMK
  2. We should attach a KMS key policy to authorize cross-account access
  3. We share the encrypted snapshot
  4. In the target account we create a copy of the snapshot and we encrypt it with a KMS key from this account
  5. We create a volume from the snapshot


Envelope Encryption

Envelope encryption flow

  1. We call GenerateDataKey API
  2. KMS checks IAM permissions
  3. KMS sends back the plaintext data encryption key (DEK) and the encrypted data encryption key
  4. We encrypt the large data locally using the plaintext data key
  5. We build an envelope around the encrypted data. We put in the envelop the encrypted data key and the encrypted data creating one final file

Envelope decryption flow

  1. We get the envelope file and extract the encrypted data encryption key
  2. We decrypt the data encryption key (DEK) by calling the Decrypt API from KMS
  3. We decrypt the data with the plaintext data encryption key

Encryption SDK

Data Key Caching

KMS Symmetric API Summary

KMS Request Quotas