What is KMS?
2 min readJul 19, 2021
KMS is a managed service used to store and generate encryption keys that used by other AWS services and applications
- S3 may use the KMS to enable S3 to offer and perform server-side encryption using SSE-KMS
- KMS contains the keys to decrypt your private data
- Administrators at AWS don’t have access to your keys within KMS
- All administrative actions require dual authentication by two Amazon administrators
- It’s our responsibility to administer our own encryption keys
- The KMS service is for encryption at rest
- To encrypt data while in transit you would need to use a different method, such as SSL
Server-side
- Encryption is done by the server
- Backend servers that encrypt the data as it arrives transparent to the end-user
- The overhead of performing the encryption and managing the keys is handled by the server
Client-side
- Encryption is done by the end-user
- Requires the user to interact with the data to make the data encrypted
- The overhead of the encryption process is on the client
Compliance and Regulations
KMS works seamlessly with AWS CloudTrail to audit and track how your encryption keys are being used and by whom
Region
KMS is not a multi-region service, it is a region-specific
