What is KMS?

AWS KMS uses Symmetric Cryptography

KMS is a managed service used to store and generate encryption keys that used by other AWS services and applications

  • S3 may use the KMS to enable S3 to offer and perform server-side encryption using SSE-KMS
  • KMS contains the keys to decrypt your private data
  • Administrators at AWS don’t have access to your keys within KMS
  • All administrative actions require dual authentication by two Amazon administrators
  • It’s our responsibility to administer our own encryption keys
  • The KMS service is for encryption at rest
  • To encrypt data while in transit you would need to use a different method, such as SSL


  • Encryption is done by the server
  • Backend servers that encrypt the data as it arrives transparent to the end-user
  • The overhead of performing the encryption and managing the keys is handled by the server


  • Encryption is done by the end-user
  • Requires the user to interact with the data to make the data encrypted
  • The overhead of the encryption process is on the client

Compliance and Regulations

KMS works seamlessly with AWS CloudTrail to audit and track how your encryption keys are being used and by whom


KMS is not a multi-region service, it is a region-specific

Nadtakan Futhoem — Sr. Software Engineer