AWS KMS and CloudHSM
Key management — customer-managed keys, envelope encryption, key rotation, and CloudHSM for hardware-based cryptographic operations.
Overview
AWS Key Management Service (KMS) is a managed service for creating and controlling encryption keys — it integrates natively with most AWS services to encrypt data at rest and in transit. AWS CloudHSM provides dedicated Hardware Security Modules (HSMs) for workloads requiring single-tenant, hardware-validated key storage.
| Aspect | KMS | CloudHSM |
|---|---|---|
| Management | Fully managed (shared multi-tenant HSMs) | Dedicated single-tenant HSM appliances |
| Key storage | AWS-managed HSMs (FIPS 140-2 Level 3) | Customer-managed HSMs (FIPS 140-2 Level 3) |
| Key control | AWS manages HSM, customer manages keys | Customer has exclusive control of HSMs + keys |
| Integration | Native with 100+ AWS services | Manual integration (PKCS#11, JCE, OpenSSL) |
| Use case | Standard encryption needs | Regulatory compliance requiring single-tenant HSMs |
Core Concepts
| Concept | Description |
|---|---|
| Customer Master Key (CMK) | The primary key resource in KMS; can be symmetric (AES-256) or asymmetric (RSA, ECC) |
| AWS Managed Key | Created and managed by AWS for specific services (e.g., aws/s3); auto-rotated yearly |
| Customer Managed Key | Created and managed by the customer; configurable rotation, policies, grants |
| Data Key | A key generated by KMS for encrypting actual data (used in envelope encryption) |
| Envelope Encryption | Encrypt data with a data key, then encrypt the data key with a CMK |
| Key Policy | Resource-based policy controlling who can use or manage a KMS key |
| Grant | Temporary, limited permission to use a KMS key without modifying the key policy |
| Key Rotation | Automatic annual rotation of the backing key material (key ID and ARN remain the same) |
| Alias | A friendly name (alias/my-key) that points to a CMK ARN |
| Key Material Origin | Where the backing key comes from: AWS_KMS (default), EXTERNAL (imported), or AWS_CLOUDHSM |
How Envelope Encryption Works
1. Application calls KMS → GenerateDataKey
2. KMS returns:
├── Plaintext Data Key (use to encrypt data, then discard)
└── Encrypted Data Key (encrypted with CMK — store alongside encrypted data)
3. To decrypt:
├── Send Encrypted Data Key to KMS → Decrypt
├── KMS returns Plaintext Data Key
└── Use Plaintext Data Key to decrypt the dataSAA/SAP Tip: Envelope encryption is how AWS services encrypt large data.
KMS cannot directly encrypt data larger than 4 KB. For larger data, always
use GenerateDataKey to get a data key, encrypt locally, and send only the
encrypted data key to KMS.
KMS Key Types
| Key Type | Created By | Rotation | Deletable | Cost |
|---|---|---|---|---|
| AWS Owned Key | AWS | AWS-managed | No | Free |
| AWS Managed Key | AWS | Auto (every year) | No | Free (API charges) |
| Customer Managed Key | Customer | Optional (configurable) | Yes | $1/month + API fees |
| Imported Key Material | Customer | Manual only | Yes | $1/month + API fees |
Exam Trap: AWS managed keys (aws/s3, aws/ebs) are free but cannot
have their key policy customised. For cross-account encryption or custom
access controls, a Customer Managed Key is required.
Key Policies and Access Control
Access to KMS keys requires both:
- The key policy must allow the action (attached to the key itself)
- The caller must have IAM permissions to perform the KMS action
Without a key policy allowing access, even an IAM admin policy will not grant KMS access (unless the key policy explicitly enables IAM-based access).
Cross-Account Key Sharing
- Key policy in Account A grants
kms:*to Account B's root - IAM policy in Account B grants the specific user
kms:Decryptfor the key ARN - Both must be in place for cross-account decryption
AWS CloudHSM
CloudHSM provides dedicated, single-tenant HSM appliances within a VPC.
| Feature | Description |
|---|---|
| Deployment | CloudHSM cluster across 2+ AZs for HA |
| Access | Via ENI in the VPC; applications connect using standard crypto APIs |
| Key ownership | Customer exclusively — AWS has no access to keys |
| Compliance | FIPS 140-2 Level 3 validated |
| Integration | Custom via PKCS#11, JCE, OpenSSL; can back KMS as custom key store |
| Use cases | SSL/TLS offloading, CA signing, Oracle TDE, regulatory compliance |
SAA/SAP Tip: CloudHSM is the answer when the question mentions "single-tenant HSM," "customer-controlled hardware keys," "FIPS 140-2 Level 3 validated with customer key control," or "SSL offloading at the HSM level."
KMS vs CloudHSM
| Criteria | KMS | CloudHSM |
|---|---|---|
| Tenancy | Multi-tenant (shared HSM infra) | Single-tenant (dedicated HSMs) |
| Key management | AWS manages HSM; customer manages keys | Customer manages everything |
| Symmetric algorithms | AES-256-GCM | AES, 3DES, and more |
| Asymmetric algorithms | RSA, ECC | RSA, ECC, DSA |
| Integration effort | Low (native AWS service integration) | High (custom crypto library integration) |
| Price | $1/key/month + API calls | |
| Compliance | FIPS 140-2 Level 3 (AWS-managed) | FIPS 140-2 Level 3 (customer-managed) |
Common Use Cases
- Data-at-rest encryption — S3, EBS, RDS, DynamoDB, and 100+ services encrypt with KMS keys natively.
- Envelope encryption — Applications encrypt large datasets locally using data keys from KMS.
- Cross-account data sharing — Share encrypted S3 objects or EBS snapshots by granting cross-account key access.
- Digital signing — Asymmetric KMS keys for code signing, JWT signing, or document verification.
- SSL/TLS offloading — CloudHSM stores private keys for TLS termination at the HSM level.
- Regulatory compliance — CloudHSM for industries requiring customer-controlled, single-tenant key storage.
SAA/SAP Exam Tips
SAA/SAP Tip: When sharing encrypted resources cross-account (e.g., AMIs, EBS snapshots, S3 objects), the KMS key policy must grant the target account access. Without this, the receiving account cannot decrypt — even with the resource itself shared.
Exam Trap: Deleting a KMS key is scheduled with a waiting period of 7–30 days. Once deleted, all data encrypted with that key becomes permanently unrecoverable. The exam tests awareness of this irreversible consequence.
SAA/SAP Tip: KMS supports automatic key rotation (annually) for customer managed symmetric keys. The key ID and ARN do not change — old ciphertext is still decryptable because KMS retains previous backing key material.
Cross-Cloud Equivalents
| Provider | Service / Solution | Notes |
|---|---|---|
| AWS | AWS KMS + CloudHSM | Baseline |
| Azure | Azure Key Vault + Azure Dedicated HSM | Key Vault = KMS; Dedicated HSM = CloudHSM |
| GCP | Google Cloud KMS + Cloud HSM | Similar separation of managed vs dedicated |
| On-Premises | HashiCorp Vault, Thales Luna HSM, nCipher | Software or hardware key management |
Pricing Model
KMS
| Dimension | Unit | Notes |
|---|---|---|
| Customer managed keys | $1/key/month | AWS managed keys are free |
| API requests | $0.03 per 10,000 | Encrypt, Decrypt, GenerateDataKey, etc. |
| Asymmetric operations | $0.10–$0.15 per 10,000 | RSA and ECC operations cost more |
CloudHSM
| Dimension | Unit | Notes |
|---|---|---|
| HSM instance | Per hour | ~$1.50/hr per HSM; minimum 2 for HA |
Related Services / See Also
- AWS IAM — key policies and IAM policies control KMS key access
- AWS Secrets Manager — encrypts secrets using KMS keys
- Amazon S3 — SSE-KMS encryption for objects at rest
- Amazon EBS — EBS volume encryption with KMS keys
- AWS Certificate Manager — manages TLS certificates (uses KMS for private keys)
AWS IAM
Identity and Access Management — users, groups, roles, policies, cross-account access, permission boundaries, federation, and least-privilege patterns.
Amazon Macie
Sensitive data discovery — automated scanning of S3 buckets for PII, PHI, financial data, and other sensitive content using machine learning.