KMS manages cryptographic keys (both symmetric and asymmetric)
KMS allows encrypting and decrypting with KMS keys
FIPS 140-2 Level 2 compliant: Users may not extract KMS keys
KMS key is a logical key (AWS resource) that can be backed by physical key materials (data blobs). This allows key material to be automatically rotated without modifying the logical key.
type of keys
KMS keys can only encrypt/decrypt 4KB of data at a time max, so it’s only supposed to be used for encrypting Data Encryption Keys (DEKs)
bound to a region, but multi-region keys are also available
can be AWS-owned or customer-owned
AWS-owned key: for multi-account purposes, usually don’t have to deal with them
customer-owned key types
AWS-managed: created by AWS to manage services like S3
customer-managed: created by customer and can be configured, e.g. key policy
key rotation
AWS-owned: forced annual rotation
customer-managed: can be enabled to rotate
DEKs: can be created by KMS key to encrypt large amount of data
when created: a plaintext version and ciphertext version (KMS-encrypt version)
DEK is not AWS-managed. Once DEK is decrypted with KMS key,
key policy: a type of resource policy that every key has
Note that unlike other services, key must be explicitly set to trust the AWS account that it’s contained in.
After account is given trust for a key, identity-based (IAM) policies can be configured.