Amazon KMS logo

Amazon KMS

AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the cryptographic keys used to protect your data, integrated with other AWS services to simplify encryption of data stored and managed in those services.

1 APIs 6 Features
CryptographyData ProtectionEncryptionKey ManagementSecurity

APIs

Amazon KMS API

The AWS Key Management Service API provides programmatic access to create and manage cryptographic keys, encrypt and decrypt data, generate data keys, and manage key policies an...

Features

Centralized Key Management

Create, import, rotate, disable, delete, and audit usage of cryptographic keys from a central location.

Hardware Security Modules

Keys are protected by FIPS 140-2 validated hardware security modules (HSMs).

Automatic Key Rotation

Enable automatic annual rotation of KMS keys without changing key ARNs.

Multi-Region Keys

Create multi-Region keys that can be replicated into multiple AWS Regions.

Asymmetric Key Support

Generate and use asymmetric RSA and ECC key pairs for encryption and signing.

CloudTrail Integration

Every KMS API call is logged to AWS CloudTrail for auditing and compliance.

Use Cases

Data at Rest Encryption

Encrypt data stored in S3, RDS, EBS, and other AWS services using KMS keys.

Envelope Encryption

Use KMS to generate data encryption keys for envelope encryption patterns.

Digital Signatures

Use asymmetric KMS keys to sign and verify digital signatures.

BYOK (Bring Your Own Key)

Import your own cryptographic key material into AWS KMS for compliance requirements.

Semantic Vocabularies

Amazon Kms Context

1 classes · 7 properties

JSON-LD

API Governance Rules

Amazon KMS API Rules

16 rules · 9 errors 7 warnings

SPECTRAL

Resources

🔗
PostmanWorkspace
PostmanWorkspace
🔗
ArazzoWorkflows
ArazzoWorkflows
📰
Blog
Blog
💬
Support
Support
🌐
Console
Console
🔗
CLI
CLI
📦
SDK
SDK
🟢
StatusPage
StatusPage
🔗
Compliance
Compliance
📜
TermsOfService
TermsOfService
🌐
Portal
Portal
🔗
Documentation
Documentation
💰
Pricing
Pricing
🚀
GettingStarted
GettingStarted
💬
FAQ
FAQ
📜
PrivacyPolicy
PrivacyPolicy
📝
SignUp
SignUp
👥
GitHubOrganization
GitHubOrganization
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary

Sources

Raw ↑ 
name: Amazon KMS
segments:
  - Security
  - Encryption
description: >-
  AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the cryptographic keys
  used to protect your data, integrated with other AWS services to simplify encryption of data stored and managed in
  those services.
url: https://aws.amazon.com/kms/
type: Index
image: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
tags:
  - AWS
  - Cryptography
  - Data Protection
  - Encryption
  - Key Management
  - Security
created: '2024-01-15'
modified: '2026-05-19'
apis:
  - name: Amazon KMS API
    description: >-
      The AWS Key Management Service API provides programmatic access to create and manage cryptographic keys, encrypt
      and decrypt data, generate data keys, and manage key policies and grants for controlling access to encryption
      operations.
    image: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
    humanURL: https://aws.amazon.com/kms/
    baseURL: https://kms.amazonaws.com
    tags:
      - Cryptography
      - Encryption
      - Key Management
    properties:
      - type: Documentation
        url: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
      - type: OpenAPI
        url: https://api.apis.guru/v2/specs/amazonaws.com/kms/2014-11-01/openapi.yaml
      - type: Pricing
        url: https://aws.amazon.com/kms/pricing/
      - type: GettingStarted
        url: https://aws.amazon.com/kms/getting-started/
      - type: FAQ
        url: https://aws.amazon.com/kms/faqs/
      - type: Features
        url: https://aws.amazon.com/kms/features/
      - type: Documentation
        url: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
      - type: APIReference
        url: https://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
      - type: OpenAPI
        url: openapi/amazon-kms-openapi.yml
      - type: JSONLD
        url: json-ld/amazon-kms-context.jsonld
      - type: JSONSchema
        url: json-schema/amazon-kms-key-schema.json
common:
  - type: PostmanWorkspace
    url: https://www.postman.com/kinlaneapi/amazon-kms/overview
  - type: ArazzoWorkflows
    url: arazzo/
    workflows:
      - url: arazzo/amazon-kms-create-key-and-describe-workflow.yml
        name: Amazon KMS Create Key and Describe
        summary: Create a new customer managed KMS key and read back its full metadata.
      - url: arazzo/amazon-kms-data-key-generate-and-decrypt-workflow.yml
        name: Amazon KMS Generate and Recover Data Key
        summary: Generate a data key, then decrypt its encrypted form to recover the plaintext key.
      - url: arazzo/amazon-kms-disable-and-schedule-deletion-workflow.yml
        name: Amazon KMS Disable and Schedule Key Deletion
        summary: Disable a KMS key and then schedule it for deletion after a waiting period.
      - url: arazzo/amazon-kms-enable-key-and-verify-state-workflow.yml
        name: Amazon KMS Enable Key and Verify State
        summary: Enable a disabled KMS key and confirm it is back in the Enabled state.
      - url: arazzo/amazon-kms-envelope-encrypt-decrypt-workflow.yml
        name: Amazon KMS Envelope Encrypt and Decrypt
        summary: Generate a data key, then round-trip ciphertext through encrypt and decrypt.
      - url: arazzo/amazon-kms-list-and-describe-keys-workflow.yml
        name: Amazon KMS List and Describe Keys
        summary: List the KMS keys in the account and describe the first one in detail.
      - url: arazzo/amazon-kms-provision-key-and-encrypt-workflow.yml
        name: Amazon KMS Provision Key and Encrypt
        summary: Create a KMS key, enable it, and immediately encrypt a payload with it.
      - url: arazzo/amazon-kms-sign-and-verify-workflow.yml
        name: Amazon KMS Sign and Verify
        summary: Sign a message with an asymmetric KMS key, then verify the signature.
  - type: Blog
    url: https://aws.amazon.com/blogs/security/category/security-identity-compliance/aws-key-management-service/
  - type: Support
    url: https://aws.amazon.com/premiumsupport/
  - type: Console
    url: https://console.aws.amazon.com/kms/home
  - type: CLI
    url: https://docs.aws.amazon.com/cli/latest/reference/kms/
  - type: SDK
    url: https://aws.amazon.com/tools/
  - type: StatusPage
    url: https://status.aws.amazon.com/
  - type: Compliance
    url: https://aws.amazon.com/compliance/
  - type: TermsOfService
    url: https://aws.amazon.com/service-terms/
  - type: Portal
    url: https://aws.amazon.com/kms/
  - type: Documentation
    url: https://docs.aws.amazon.com/kms/
  - type: Pricing
    url: https://aws.amazon.com/kms/pricing/
  - type: GettingStarted
    url: https://aws.amazon.com/kms/getting-started/
  - type: FAQ
    url: https://aws.amazon.com/kms/faqs/
  - type: PrivacyPolicy
    url: https://aws.amazon.com/privacy/
  - type: SignUp
    url: https://portal.aws.amazon.com/billing/signup
  - type: GitHubOrganization
    url: https://github.com/aws
  - type: Features
    data:
      - name: Centralized Key Management
        description: Create, import, rotate, disable, delete, and audit usage of cryptographic keys from a central location.
      - name: Hardware Security Modules
        description: Keys are protected by FIPS 140-2 validated hardware security modules (HSMs).
      - name: Automatic Key Rotation
        description: Enable automatic annual rotation of KMS keys without changing key ARNs.
      - name: Multi-Region Keys
        description: Create multi-Region keys that can be replicated into multiple AWS Regions.
      - name: Asymmetric Key Support
        description: Generate and use asymmetric RSA and ECC key pairs for encryption and signing.
      - name: CloudTrail Integration
        description: Every KMS API call is logged to AWS CloudTrail for auditing and compliance.
  - type: UseCases
    data:
      - name: Data at Rest Encryption
        description: Encrypt data stored in S3, RDS, EBS, and other AWS services using KMS keys.
      - name: Envelope Encryption
        description: Use KMS to generate data encryption keys for envelope encryption patterns.
      - name: Digital Signatures
        description: Use asymmetric KMS keys to sign and verify digital signatures.
      - name: BYOK (Bring Your Own Key)
        description: Import your own cryptographic key material into AWS KMS for compliance requirements.
  - type: Integrations
    data:
      - name: Amazon S3
        description: Encrypt S3 objects at rest using SSE-KMS with customer managed keys.
      - name: Amazon RDS
        description: Encrypt RDS database instances and automated backups with KMS keys.
      - name: AWS CloudTrail
        description: All KMS API usage is automatically logged for audit and compliance.
      - name: AWS Secrets Manager
        description: Encrypt secrets stored in Secrets Manager with KMS keys.
      - name: AWS Lambda
        description: Encrypt Lambda environment variables with KMS customer managed keys.
  - type: SpectralRules
    url: rules/amazon-kms-spectral-rules.yml
  - type: Vocabulary
    url: vocabulary/amazon-kms-vocabulary.yaml
  - type: Integrations
    url: https://aws.amazon.com/marketplace
integrations:
  - name: Sign in
  - name: Agent Mode
  - name: Why AWS Marketplace?
  - name: Get started in AWS Marketplace
  - name: Industry
  - name: Resources
  - name: Become a Channel Partner
  - name: Sell in AWS Marketplace
  - name: Manage Your Account
maintainers:
  - FN: Kin Lane
    email: [email protected]
    url: https://apievangelist.com
include: []