Amazon KMS logo

Amazon KMS

AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the cryptographic keys used to protect your data, integrated with other AWS services to simplify encryption of data stored and managed in those services.

1 APIs 1 Capabilities 6 Features
CryptographyData ProtectionEncryptionKey ManagementSecurity

APIs

Amazon KMS API

The AWS Key Management Service API provides programmatic access to create and manage cryptographic keys, encrypt and decrypt data, generate data keys, and manage key policies an...

Capabilities

Amazon KMS Workflow

Unified workflow capability for Amazon KMS combining resource management and operations.

Run with Naftiko

Features

Centralized Key Management

Create, import, rotate, disable, delete, and audit usage of cryptographic keys from a central location.

Hardware Security Modules

Keys are protected by FIPS 140-2 validated hardware security modules (HSMs).

Automatic Key Rotation

Enable automatic annual rotation of KMS keys without changing key ARNs.

Multi-Region Keys

Create multi-Region keys that can be replicated into multiple AWS Regions.

Asymmetric Key Support

Generate and use asymmetric RSA and ECC key pairs for encryption and signing.

CloudTrail Integration

Every KMS API call is logged to AWS CloudTrail for auditing and compliance.

Use Cases

Data at Rest Encryption

Encrypt data stored in S3, RDS, EBS, and other AWS services using KMS keys.

Envelope Encryption

Use KMS to generate data encryption keys for envelope encryption patterns.

Digital Signatures

Use asymmetric KMS keys to sign and verify digital signatures.

BYOK (Bring Your Own Key)

Import your own cryptographic key material into AWS KMS for compliance requirements.

Semantic Vocabularies

Amazon Kms Context

1 classes · 7 properties

JSON-LD

API Governance Rules

Amazon KMS API Rules

16 rules · 9 errors 7 warnings

SPECTRAL

Resources

📰
Blog
Blog
💬
Support
Support
🌐
Console
Console
🔗
CLI
CLI
📦
SDK
SDK
🟢
StatusPage
StatusPage
🔗
Compliance
Compliance
📜
TermsOfService
TermsOfService
🌐
Portal
Portal
🔗
Documentation
Documentation
💰
Pricing
Pricing
🚀
GettingStarted
GettingStarted
💬
FAQ
FAQ
📜
PrivacyPolicy
PrivacyPolicy
📝
SignUp
SignUp
👥
GitHubOrganization
GitHubOrganization
🔗
SpectralRules
SpectralRules
🔗
NaftikoCapability
NaftikoCapability
🔗
Vocabulary
Vocabulary

Sources

Raw ↑ 
name: Amazon KMS
segments:
- Security
- Encryption
description: AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the cryptographic keys used to protect your data, integrated with other AWS services to 
  simplify encryption of data stored and managed in those services.
url: https://aws.amazon.com/kms/
type: Index
image: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
tags:
- AWS
- Cryptography
- Data Protection
- Encryption
- Key Management
- Security
created: '2024-01-15'
modified: '2026-04-19'
apis:
- name: Amazon KMS API
  description: The AWS Key Management Service API provides programmatic access to create and manage cryptographic keys, encrypt and decrypt data, generate data keys, and manage key policies and grants
    for controlling access to encryption operations.
  image: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
  humanURL: https://aws.amazon.com/kms/
  baseURL: https://kms.amazonaws.com
  tags:
  - Cryptography
  - Encryption
  - Key Management
  properties:
  - type: Documentation
    url: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
  - type: OpenAPI
    url: https://api.apis.guru/v2/specs/amazonaws.com/kms/2014-11-01/openapi.yaml
  - type: Pricing
    url: https://aws.amazon.com/kms/pricing/
  - type: GettingStarted
    url: https://aws.amazon.com/kms/getting-started/
  - type: FAQ
    url: https://aws.amazon.com/kms/faqs/
  - type: Features
    url: https://aws.amazon.com/kms/features/
  - type: Documentation
    url: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
  - type: APIReference
    url: https://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html
  - type: OpenAPI
    url: openapi/amazon-kms-openapi.yml
  - type: JSONLD
    url: json-ld/amazon-kms-context.jsonld
  - type: JSONSchema
    url: json-schema/amazon-kms-key-schema.json
common:
- type: Blog
  url: https://aws.amazon.com/blogs/security/category/security-identity-compliance/aws-key-management-service/
- type: Support
  url: https://aws.amazon.com/premiumsupport/
- type: Console
  url: https://console.aws.amazon.com/kms/home
- type: CLI
  url: https://docs.aws.amazon.com/cli/latest/reference/kms/
- type: SDK
  url: https://aws.amazon.com/tools/
- type: StatusPage
  url: https://status.aws.amazon.com/
- type: Compliance
  url: https://aws.amazon.com/compliance/
- type: TermsOfService
  url: https://aws.amazon.com/service-terms/
- type: Portal
  url: https://aws.amazon.com/kms/
- type: Documentation
  url: https://docs.aws.amazon.com/kms/
- type: Pricing
  url: https://aws.amazon.com/kms/pricing/
- type: GettingStarted
  url: https://aws.amazon.com/kms/getting-started/
- type: FAQ
  url: https://aws.amazon.com/kms/faqs/
- type: PrivacyPolicy
  url: https://aws.amazon.com/privacy/
- type: SignUp
  url: https://portal.aws.amazon.com/billing/signup
- type: GitHubOrganization
  url: https://github.com/aws
- type: Features
  data:
  - name: Centralized Key Management
    description: Create, import, rotate, disable, delete, and audit usage of cryptographic keys from a central location.
  - name: Hardware Security Modules
    description: Keys are protected by FIPS 140-2 validated hardware security modules (HSMs).
  - name: Automatic Key Rotation
    description: Enable automatic annual rotation of KMS keys without changing key ARNs.
  - name: Multi-Region Keys
    description: Create multi-Region keys that can be replicated into multiple AWS Regions.
  - name: Asymmetric Key Support
    description: Generate and use asymmetric RSA and ECC key pairs for encryption and signing.
  - name: CloudTrail Integration
    description: Every KMS API call is logged to AWS CloudTrail for auditing and compliance.
- type: UseCases
  data:
  - name: Data at Rest Encryption
    description: Encrypt data stored in S3, RDS, EBS, and other AWS services using KMS keys.
  - name: Envelope Encryption
    description: Use KMS to generate data encryption keys for envelope encryption patterns.
  - name: Digital Signatures
    description: Use asymmetric KMS keys to sign and verify digital signatures.
  - name: BYOK (Bring Your Own Key)
    description: Import your own cryptographic key material into AWS KMS for compliance requirements.
- type: Integrations
  data:
  - name: Amazon S3
    description: Encrypt S3 objects at rest using SSE-KMS with customer managed keys.
  - name: Amazon RDS
    description: Encrypt RDS database instances and automated backups with KMS keys.
  - name: AWS CloudTrail
    description: All KMS API usage is automatically logged for audit and compliance.
  - name: AWS Secrets Manager
    description: Encrypt secrets stored in Secrets Manager with KMS keys.
  - name: AWS Lambda
    description: Encrypt Lambda environment variables with KMS customer managed keys.
- type: SpectralRules
  url: rules/amazon-kms-spectral-rules.yml
- type: NaftikoCapability
  url: capabilities/amazon-kms-workflow.yaml
- type: Vocabulary
  url: vocabulary/amazon-kms-vocabulary.yaml
- type: Integrations
  url: https://aws.amazon.com/marketplace
integrations:
  - name: Sign in
  - name: Agent Mode
  - name: 'Why AWS Marketplace?'
  - name: Get started in AWS Marketplace
  - name: Industry
  - name: Resources
  - name: Become a Channel Partner
  - name: Sell in AWS Marketplace
  - name: Manage Your Account
maintainers:
- FN: Kin Lane
  email: [email protected]
  url: https://apievangelist.com
include: []