AWS Key Management Service (AWS KMS) is a vital component for managing encryption keys within the AWS ecosystem. It simplifies the process of creating and controlling encryption keys used to encrypt your data. Here's a breakdown of the key aspects covered:

AWS KMS Overview

• Purpose: Manages encryption keys for AWS services.
• Integration: Fully integrated with AWS Identity and Access Management (IAM) for authorization.
• Auditability: Enables auditing of API calls using AWS CloudTrail.
• Usage: Can be used with most AWS services for encrypting data at rest, including EBS, S3, RDS, and SSM.
• API Access: Supports encryption operations through AWS CLI, SDKs, and API calls.

Types of KMS Keys

• Symmetric Keys: Single key used for both encryption and decryption. Default for AWS services.
• Asymmetric Keys: Pair of keys where the public key encrypts and the private key decrypts. Useful for operations outside AWS.

Categories of KMS Keys

• AWS Owned Keys: Free, automatically used by certain AWS services like SSE-S3 encryption.
• AWS Managed Keys: Free, service-specific (e.g., aws/rds, aws/ebs), automatically rotated by AWS.
• Customer Managed Keys: Customizable, $1/month, supports import, manual rotation, and automatic rotation (if enabled).

Key Rotation

• Automatic for AWS-managed keys.
• Must be enabled for customer-managed keys.
• Manual for imported keys, using aliases for rotation.

KMS Key Policies

• Default Policy: Allows all users in your account to access the key if they have IAM policy permission.