Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.2.1. KMS Key Management (CMKs, AWS-managed Keys)

First Principle: AWS KMS provides flexible key management options (Customer Managed Keys - CMKs, AWS-managed keys), enabling users to choose the appropriate level of control, cost, and auditability for their encryption keys.

AWS Key Management Service (KMS) is a fully managed service that allows you to create and control encryption keys used to encrypt your data. It's central to managing encryption at rest across many AWS services.

Key KMS Key Management Options:
  • AWS-managed keys:
    • What they are: Encryption keys that AWS creates, manages, and uses on your behalf for AWS services (e.g., S3, EBS, RDS).
    • Control: You cannot manage these keys directly (e.g., set key policies).
    • Cost: No extra charge for storage, usually only for usage.
    • Use Cases: Simplicity and ease of use, suitable for many common encryption needs.
  • Customer Managed Keys (CMKs):
    • What they are: Encryption keys that you create, own, and manage in KMS.
    • Control: You have full control over the key policy (who can use the key, for which resources), key rotation, and disabling/deleting the key.
    • Cost: Small monthly fee for key storage, plus usage charges.
    • Use Cases: Meeting specific compliance requirements (e.g., PCI DSS), sensitive data where you need more control, integration with CloudHSM.
  • AWS KMS Integration: Seamlessly integrates with hundreds of AWS services for encryption at rest.

Scenario: You need to ensure sensitive customer data stored in Amazon S3 is encrypted at rest. For most data, standard encryption is sufficient, but for highly confidential financial data, you need strict control over the encryption keys and full auditability of their usage.

Reflection Question: How do AWS KMS key management options (differentiating between AWS-managed keys for simplicity and Customer Managed Keys (CMKs) for fine-grained control) fundamentally enable you to choose the appropriate level of control, cost, and auditability for your encryption keys?