AWS – KMS and Ecryption

AWS Key Management Service (KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

You can perform the following management actions on your AWS KMS master keys:

• Create, describe, and list master keys
• Enable and disable master keys
• Create and view grants and access control policies for your master keys
• Enable and disable automatic rotation of the cryptographic material in a master key
• Import cryptographic material into an AWS KMS master key
• Tag your master keys for easier identification, categorizing, and tracking
• Create, delete, list, and update aliases, which are friendly names associated with your master keys
• Delete master keys to complete the key lifecycle

With AWS KMS you can also perform the following cryptographic functions using master keys:

• Encrypt, decrypt, and re-encrypt data
• Generate data encryption keys that you can export from the service in plaintext or encrypted under a master key that doesn’t leave the service
• Generate random numbers suitable for cryptographic applications

AWS KMS Developer Guide

---