AWS Key Management Service (AWS KMS) is a AWS service that allows us to encrypt and decrypt our data with a Customer Master Key (CMKs) in the AWS cloud. As as result of passing both the AWS Certified Security – Speciality and the AWS Certified Solutions Architect – Professional exams I feel that it’s critical that you know AWS KMS inside and out. If you can understand all of the AWS KMS features I believe you’ll have a better chance of passing. This deep dive (with infographic) will be several different posts about AWS Key Management Service (AWS KMS).
AWS Key Management Service (AWS KMS) one of the most critical service to secure your AWS account and all of its data. KMS provides security that has to be put in place before new services and data come in. A lot of other AWS services will need KMS keys so it is best practice to set it up before starting other services like EC2, S3, Cloudtrail, Lambda, and so on.
Intro to CMKs
There are different types of AWS Key Management Service (AWS KMS) keys to allow us to encrypt and decrypt our data with a Customer Master Key (CMKs). AWS managed CMK and customer managed CMK. AWS KMS can support both symmetric or asymmetric keys. By default none of these key types are created when the account is created. Each AWS managed key is automatically created when you select to encrypt a certain service. The CMK type must be created by you before it’s available for use. Lets deep dive into each of these types and the Terraform code to creating them.

CMK properties
- Key Id
- Creation date
- Description
- Key state
Symmetric CMK
A symmetric key is a 256-bit encryption key that never leaves AWS KMS unencrypted. It’s a single key that’s used for both encryption and decryption. More about symmetric keys here. When you create a KMS key this the default key type. This type of key requires valid AWS credentials to use. This means if the users requires encryption without AWS credentials then it’s an asymmetric key type. Symmetric keys are the better options for most cases. This key type cannot be signed or verified.
Asymmetric CMK
Asymmetric CMK key type is a RSA key pair (public key & a private key) that is used for encryption and decryption or signing and verification (but not both), or an elliptic curve (ECC) key pair that is used for signing and verification. The private key never leaves AWS KMS unencrypted. You can use the public key within AWS KMS by calling the AWS KMS API operations, or download the public key and use it outside of AWS KMS.

AWS managed CMKs
AWS managed CMK’s are created, managed, and used on the behalf of the customer by an AWS service. A few AWS services only accept this type. As a customer you can view the keys, their policies, and track their usage via Cloudtrail. The customer cannot managed them, rotate them or modify their key policies.

AWS Managed keys – Pricing
There is no cost to the customer for the creation and storage of the AWS Managed CMKs. Under the free tier 20,000 requests/month calculated across all regions have no cost.
Here’s KMS pricing breakdown for the Northern Virginia region. The price does vary by region, use the pricing calculator for latest numbers.
- $0.03 per 10,000 requests
- $0.03 per 10,000 requests involving RSA 2048 keys
- $0.10 per 10,000 ECC GenerateDataKeyPair requests
- $0.15 per 10,000 asymmetric requests except RSA 2048
- $12.00 per 10,000 RSA GenerateDataKeyPair requests
Note: Customer managed CMKs do have a cost, that’s another post. Subscribe to get notified when that’s released.
AWS MANAGED KEYS – Aliases
AWS managed CMKs have aliases already and cannot be modified. The name pattern is aws/service-name
; aws/s3 or aws/ssm, etc.
KeyManager field will either be “AWS” or “Customer” to know if a key is managed by AWS or by you.
AWS MANAGED KEYS – Create
Remember the customer cannot create the AWS Managed CMKs directly. This type of a key will be available to you when you encrypt an object or resource.
By default the customer has no keys. Let’s run this command to see the list of keys.
aws kms list-keys --profile { profile_name }
{
"Keys": []
}
Note: If you haven’t setup your AWS CLI be sure to visit this page “Setup infrastructure as code environment“. You’ll need the following IAM policy in order to list the keys.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadKMSkeys",
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:ListKeyPolicies",
"kms:ListRetirableGrants",
"kms:ListAliases",
"kms:GetKeyPolicy",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}

Let’s say you want to encrypt an object or a bucket in S3. You will see aws/s3 key available all of sudden. Hint this is an AWS managed CMK because of the format!

Now if we list the keys you will see the AWS managed CMK.
aws kms list-keys --profile dev
{
"Keys": [
{
"KeyArn": "arn:aws:kms:us-east-1:111111111:key/2323232-2323-2424-23424a-a2324a3",
"KeyId": "2323232-2323-2424-23424a-a2324a3"
}
]
}
Key Type: Symmetric
Origin: AWS_KMS
Key Spec: SYMMETRIC_DEFAULT
Key Usage: Encrypt and decrypt
Here’s the default and non-editable key policy for the CMK I just created above. Each AWS managed CMK policy is restricted to a single AWS service.
{
"Version": "2012-10-17",
"Id": "auto-s3-2",
"Statement": [
{
"Sid": "Allow access through S3 for all principals in the account that are authorized to use S3",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111111111:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:CallerAccount": "1111111111",
"kms:ViaService": "s3.us-east-1.amazonaws.com"
}
}
},
{
"Sid": "Allow direct access to key metadata to the account",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111111111:root"
},
"Action": [
"kms:Describe*",
"kms:Get*",
"kms:List*"
],
"Resource": "*"
}
]
}
Note: The “Principal” with a value of “AWS” with the account number and “root” means that any authenticated user or service in that account can use this key.
AWS MANAGED CMKS – Enable and disable keys
Not possible with AWS managed CMKs.
AWS MANAGED CMKS – automatic rotation
Automatic rotation is enabled to rotate the key every 3 years for AWS Managed CMKs. You cannot modify this setting.
AWS MANAGED CMKS – Delete Keys
Not possible with AWS managed CMKs.
Quotas and Limits
Because the cloud services are shared with hundreds of thousands of customers, AWS has put some limits on requests and resources to ensure acceptable performance for all customers.
Resource limits
Grants for a given principal per CMK: 500
Key policy document size: 32 KB
Request limits
If you see this error
You have exceeded the rate at which you may call KMS. Reduce the frequency of your calls.
(Service: AWSKMS; Status Code: 400; Error Code: ThrottlingException; Request ID:
This “ThrottlingException” means you had a valid request but have passed the quota. AWS purposefully throttles your request. Use the Service Quotas console or the RequestServiceQuotaIncrease operation to request an increase.
Request quotas applies to both AWS managed and Customer managed CMKs but not AWS owned CMKs that are designed to protect your resources.
Also requests such as updating the CMK’s alias or setting it to disable have limits. If you aren’t doing large quantity changes you shouldn’t have to worry about hitting these limits. Here’s a few default limits, for a full list click here.
UpdateAlias | 5/second |
DisableKey | 5/second |
ListKeys | 100/second |
KMS Security
- Dedicated hardened hardware security modules (HSMs)
- HSMs are physical devices that do not have a virtualization layer
- Key usage is isolated within an AWS Region.
- Multiple Amazon employees with role-specific access are required to perform administrative actions on the HSMs. There is no mechanism to export plaintext CMKs.
- Approved for the these compliance programs; SOC 1,2,3, FedRamp, DoD Impact Level 2-6, HIPPA BAA, C5, and much more.
- Available in the U.S GovCloud and U.S Secret regions
- All symmetric key encrypt commands used within HSMs use the Advanced Encryption Standards (AES) 256
- AWS KMS uses envelope encryption internally to secure confidential material between service endpoints
- KMS does not store the data, just the keys
- Use VPC EndPoints to avoid KMS traffic going through the internet
Encryption at Rest
- Customer master keys (CMKs) are stored in FIPS 140-2 Level 2–compliant hardware security modules (HSMs).
- The key material for CMKs and the encryption keys that protect the key material never leave the HSMs in plaintext form.
Encryption in Transit
- The key material that AWS KMS generates for CMKs is never exported or transmitted in AWS KMS API operations
- All AWS KMS API calls must be signed and be transmitted using minimum Transport Layer Security (TLS) 1.2
- Also Calls to AWS KMS require a modern cipher suite that supports perfect forward secrecy
KMS Multi-Region Keys
This feature was publicly released in June, 2021. As the name of the feature says, this type of key is created into two different regions. The Primary region is the region where the key is initially created, then the Replicated region is the other region where the same exact key is copied to. The Key Id is the same in both regions with a Multi-Region key. Its KMS key policy, alias, and other settings can be different or the same, it’s up to you. The benefit is in the cost saving, you are only charged for one key even though the key is in two different regions.
Wrapping up KMS for now; but in the future I’ll cover AWS KMS monitoring in detail, how and what can KMS integrate with other services, cross account KMS permissions, customer managed CMKs, and much more deep dives coming soon so be sure to subscribe! Here’s part two: https://cloudly.engineer/2020/aws-kms-customer-managed-cmk-with-terraform/aws/
As always if you see any errors, mistakes, have suggestions or questions please comment below. Don’t forget to like, share, and subscribe for more!