Articles → AWS → Key Management Service In AWS Console

Key Management Service In AWS Console

In this article, we will discuss Key Management Service in AWS console.

Purpose

The Key Management Service is used to generate an encryption key.

Symmetric And Asymmetric Keys

Symmetric keys are those that uses the same key for encryption and decryption. Asymmetric keys use the different keys i.e., one for encryption and other for decryption.

AWS Managed And Customer Managed Keys

As the name suggests, AWS keys are predefined keys provided by AWS for encryption. Whereas the customer managed keys are created by the user.

AWS Managed Keys Vs AWS Owned Keys

In AWS managed keys: -

AWS controls the lifecycle and key policies of AWS managed keys
AWS managed keys are resources in customer AWS accounts
Customers can view CloudTrail events and can access policies and for AWS managed keys
All requests that are made against these keys are logged as CloudTrail events

In AWS owned keys: -

Keys are exclusively used by AWS for internal encryption operations across different AWS services
Customers do not have visibility into key policies of the AWS owned keys
Requests to these keys are not logged in the CloudTrail events

Difference Between Different Key Types

Type Of CMK	Can View	Can Manage	Used Only For My AWS Account	Automatic Rotation
Customer Managed CMK	Yes	Yes	Yes	Optional. Every 365 days
AWS Managed CMK	Yes	No	Yes	Required. Every 1095 days
AWS Owned CMK	No	No	No	Varies

How To Create A Key?

To create a key, search the word KMS in the search box. Click on the Key Management Service in the search result. The Key Management Service screen will appear.

Picture showing the Key Management Service in the search box

Click to Enlarge

In the key management service screen, you can see the menu for AWS managed and customer managed keys.

Picture showing the types of key management service that AWS supports

Click to Enlarge

To create a new key, click on the Create a key button on the right-hand side.

Picture showing the create a key button for creating the new key in AWS

Click to Enlarge

A screen appears to select the Key type. Click on the Next button.

Picture showing the section of screen for selecting the key type

Click to Enlarge

In the next screen, enter the Alias and other details. Click on the Next for the next step.

Picture showing a screen for adding the key name and other details

Click to Enlarge

In the next screen, specify the key administrative permissions. Click on the Next button to continue.

Picture showing a screen to select the administrative permissions

Click to Enlarge

In the next screen, specify the usage permissions. Click on the Next button.

Picture showing a screen to select the usage permissions

Click to Enlarge

Finally, a screen appears where you can review the keys. Click on the Finish button to complete the key creation.

Picture showing a review screen before the creation of key

Click to Enlarge

The key will be created.

Posted By -	Karan Gupta

Posted On -	Tuesday, September 21, 2021

Updated On -	Wednesday, November 9, 2022

Query/Feedback

Your Email Id		**

Subject		*

Query/Feedback	Characters remaining 250	**