AWS KMS
AWS KMS (Key Management Service) is the managed service for creating and managing cryptographic keys. It is used to encrypt data in AWS services centrally and traceably.
What is AWS KMS?
AWS KMS (Key Management Service) is AWS’s central service for managing cryptographic keys. Encryption is only as secure as the way the associated keys are handled – a key left lying around unprotected renders even the best encryption worthless. This is precisely the problem that KMS solves: it creates, stores and manages keys in a secure, central location.
What makes it special is that the actual key never leaves KMS in plain text. Data is sent to KMS for encryption and decryption, or a derived key is issued – the master key itself remains permanently protected.
How KMS is used
- Encryption of services: S3, RDS, EBS, DynamoDB and many other services use KMS keys to encrypt data at rest.
- Centralised management: All keys are managed in one place, with clear permissions via IAM.
- Key rotation: KMS can automatically renew keys at regular intervals.
- Comprehensive logging: Every use of a key is logged and is therefore traceable.
KMS and compliance
KMS is a key component for regulated industries and GDPR-compliant architectures. It not only proves that data is encrypted, but also records who used which key and when. Furthermore, permissions in IAM allow precise control over which application or employee is permitted to use a specific key at all. In an emergency, revoking a key authorisation can immediately and completely prevent access to large volumes of data.
Key separation by environment
It is best practice to use separate keys for different environments and data classes – for example, separate keys for staging and production. This allows access to be controlled at a fine granularity and, in the event of a problem, to be specifically restricted.
KMS in SMEs
Many AWS services already encrypt data using standard keys managed by AWS. However, as soon as specific compliance requirements apply or control over the keys needs to be demonstrated, it is worth using self-managed KMS keys. The effort involved is minimal, whilst the gains in security and auditability are significant.
Frequently asked questions about AWS KMS
A self-managed KMS key costs around USD 1 per month. In addition, there are small fees per cryptographic request. For most medium-sized setups, the KMS costs remain in the single-digit to low double-digit euro range per month.
No. The actual master key never leaves KMS in plain text. Encryption and decryption processes take place within the service or a derived key is used. The master key itself remains permanently in the protected area of KMS.
AWS's own standard keys are fully managed by AWS and are free of charge, but offer no individual control. Self-managed KMS keys allow customised authorisations, rotation and seamless logging - important if proof of compliance is required.
KMS is not mandatory, but it is very helpful. It verifiably proves that data is encrypted and who has used keys and when. In conjunction with IAM, access can be precisely controlled - a strong argument in data protection and audit processes.
Related terms
Last updated: May 2026