1. What is KMS?

AWS KMS is a managed service for creating and controlling encryption keys used to encrypt your data across AWS services.

Core Concept KMS manages encryption keys. You create a key, define who can use it (key policy + IAM), and AWS services use it to encrypt/decrypt data. You NEVER see plaintext key material. KMS keys never leave AWS unencrypted.

2. KMS Key Types

3. Envelope Encryption

KMS uses envelope encryption for data larger than 4 KB.

Envelope Encryption Flow:

1. Client calls KMS: GenerateDataKey(CMK-ID)
2. KMS returns: Plaintext Data Key + Encrypted Data Key
3. Client encrypts data with Plaintext Data Key
4. Client stores: Encrypted Data + Encrypted Data Key together
5. Discards Plaintext Data Key from memory

Decryption: Send Encrypted Data Key to KMS → get Plaintext Data Key → decrypt data
Why Envelope Encryption? KMS API can only encrypt/decrypt up to 4 KB directly. For larger data, generate a Data Key, encrypt locally, and only send the small Data Key to KMS. AWS Encryption SDK handles this automatically.

4. Key Policies & Access Control

  1. Every KMS key has a Key Policy (resource-based, required)
  2. Default: The root user of the account has full access
  3. Access = Key Policy + IAM Policy (both must allow)
  4. Cross-account: CMK only (not AWS Managed). The key policy must allow the external account.
  5. Grants: temporary fine-grained permissions (used by AWS services internally)

5. Key Rotation

6. Multi-Region Keys

  1. Replicate KMS key across multiple Regions
  2. Same key ID and key material in all Regions
  3. Encrypt in one Region, decrypt in another without cross-Region API calls
  4. Use for: DynamoDB Global Tables, Aurora Global Database, cross-Region S3 replication

7. KMS Quotas & Optimization

  1. API quota: 5,500–30,000 requests/sec per Region
  2. Exceeding = ThrottlingException
  3. Solutions: S3 Bucket Keys (99% fewer calls), cache data keys, request quota increase
Exam Tip KMS: "Audit key usage" = KMS + CloudTrail. "Cross-account encryption" = Customer Managed Key. "Encrypt > 4 KB" = Envelope Encryption. "Same key across Regions" = Multi-Region Key. "Reduce S3 KMS calls" = Bucket Keys. AWS Managed = free, auto-rotate, no cross-account. CMK = $1/month, full control.