Key components of KMS

Customer Master Keys(CMK)

This is the main key type within KMS

  • This key can encrypt data up to 4KB in size
  • It is typically used in relation to your DEKs
  • The CMK can generate, encrypt and decrypt this DEK

There are 2 types of CMKs:

AWS managed CMKs

  • These are used by other AWS services that interact with KMS to encrypt data
  • They can only be used the service that created them within a particular region
  • They are created on the first time you implement encryption using that service

Customer managed CMKs

  • These provide the ability to implement greater flexibility
  • You can perform rotation, governing access, and key policy configuration
  • You are able to enable and disable the key when it is no longer required

AWS services can also be configured to use your own customer CMKs

Any CMKs created within KMS are protected by FIPS 140.2 validated cryptographic modules

Data Encryption Keys(DEK)

Data keys are used to encrypt your data of any size

Key Policies

The key policies allow you to define who can use and access a key in KMS

  • These policies are tied to the CMKs, they are resource-based policies
  • Different key policies can be created for different CMKs
  • These permissions are defined within a key policy JSON document


Grants are another method of controlling access and use of the CMKs held within KMS

  • They allow you to delegate a subset of your own access to a CMK for principals
  • There is less risk of someone altering the access control permissions for that CMK
  • Grants eliminate the possibility of anyone using the permission kms:PutKeyPolicy
Nadtakan Futhoem — Sr. Software Engineer



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store