Customer Master Keys(CMK)

This is the main key type within KMS

  • This key can encrypt data up to 4KB in size

There are 2 types of CMKs:

AWS managed CMKs

  • These are used by other AWS services that interact with KMS to encrypt data

Customer managed CMKs

  • These provide the ability to implement greater flexibility

AWS services can also be configured to use your own customer CMKs

Any CMKs created within KMS are protected by FIPS 140.2 validated cryptographic modules

Data Encryption Keys(DEK)

Data keys are used to encrypt your data of any size

Key Policies

The key policies allow you to define who can use and access a key in KMS

  • These policies are tied to the CMKs, they are resource-based policies


Grants are another method of controlling access and use of the CMKs held within KMS

  • They allow you to delegate a subset of your own access to a CMK for principals
Nadtakan Futhoem — Sr. Software Engineer

Founder of & Serverless Cloud developer. Follow me on Twitter