AWS Security Academy · Lesson

What KMS Keys Are and Do

Understand customer managed, AWS managed, and owned keys.

The Need for Managed Keys

Encryption is only as strong as how you protect the keys. Storing keys in code or files is risky and hard to audit.

AWS KMS (Key Management Service) creates, stores, and controls encryption keys in hardware security modules, and ties every use to IAM permissions and audit logs.

What a KMS Key Is

A KMS key (formerly called a CMK, customer master key) is a logical representation of a cryptographic key inside KMS.

The key material never leaves KMS unencrypted.
You ask KMS to encrypt or decrypt; the raw key is not exposed to you.

This is the foundation of AWS encryption.

All lessons in this course

What KMS Keys Are and Do
Symmetric, Asymmetric, and Multi-Region Keys
Key Policies, Grants, and Conditions
Envelope Encryption and Data Keys

← Back to AWS Security Academy