This chapter covers AWS Key Management Service (KMS) and encryption strategies essential for securing data at rest and in transit on AWS. For the SAA-C03 exam, encryption and KMS appear in roughly 15-20% of questions, often integrated with S3, RDS, DynamoDB, and Lambda. You must understand KMS key types, key policies, automatic key rotation, envelope encryption, and how to choose between server-side and client-side encryption. This chapter provides the depth needed to answer scenario-based questions correctly and avoid common traps.
Jump to a section
Imagine a bank where customers store valuables in safety deposit boxes. Each box has a unique key, but the bank doesn't want customers to carry those keys around—they might lose them. Instead, the bank issues proxy cards that can request the vault attendant to open a box on behalf of the customer, but only if the customer's identity is verified and the request follows specific rules. The vault attendant (KMS) never gives out the actual master key; it only performs operations (encrypt, decrypt) inside the vault. Each proxy card has a policy that says which boxes it can open and what operations it can perform (e.g., only encrypt, never decrypt). The bank also has a master key that can create new box keys or change policies. If a customer wants to share access to their box temporarily, they can delegate via the proxy card without ever exposing the box key. This mirrors KMS: you never leave your keys unencrypted; you use KMS to perform cryptographic operations, and you control access via IAM policies and key policies. The master key is the Customer Master Key (CMK), and the proxy cards are data keys generated by KMS for client-side encryption.
What is AWS KMS?
AWS Key Management Service (KMS) is a managed service that enables you to create, manage, and control cryptographic keys used to encrypt your data. It is integrated with most AWS services for server-side encryption (SSE) and provides an API for client-side encryption. KMS uses Hardware Security Modules (HSMs) validated under FIPS 140-2 Level 2 (or Level 3 for some regions) to protect key material.
Why KMS Exists
Before KMS, customers had to manage their own encryption keys using third-party HSMs or software libraries, which was complex and error-prone. KMS simplifies key management by providing a centralized, auditable, and highly available key store. It also integrates with AWS CloudTrail for logging every key usage, enabling compliance and security auditing.
How KMS Works Internally
KMS operates on the principle of envelope encryption. When you encrypt data, you don't encrypt the entire data directly with your Customer Master Key (CMK). Instead, KMS generates a data key (a symmetric key) and returns two versions: a plaintext data key and an encrypted copy of that data key (encrypted under the CMK). You use the plaintext data key for local encryption, then discard it. The encrypted data key is stored alongside the encrypted data. To decrypt, you send the encrypted data key to KMS, which decrypts it using the CMK and returns the plaintext data key. This allows you to encrypt large amounts of data without sending it all to KMS.
Key Components
Customer Master Key (CMK): The primary key in KMS. It can be symmetric (256-bit AES-GCM) or asymmetric (RSA or ECC). CMKs are used to generate and decrypt data keys. They never leave KMS.
Data Key: A symmetric key generated by KMS for encrypting data. It is used for envelope encryption.
Key Policy: A resource-based policy that defines who can use the CMK and what operations they can perform. Every CMK has exactly one key policy.
Grant: An alternative to key policies for temporary access. Grants allow principals to use a CMK without modifying the key policy.
KMS Keys: AWS now refers to CMKs as "KMS keys" (the term is interchangeable).
Key Types and Defaults
AWS Managed Keys: Created automatically by AWS services (e.g., aws/s3, aws/rds). They are free but cannot be viewed, managed, or rotated manually. They are rotated automatically every 3 years.
Customer Managed Keys: Created by you. You have full control: you can define key policies, enable automatic rotation (yearly), and manage key material. Cost: $1/month per key plus usage costs.
Custom Key Store: Allows you to use an AWS CloudHSM cluster as the key store for your CMKs. The key material resides in your HSM.
Automatic Key Rotation
For customer managed symmetric CMKs, you can enable automatic rotation. When enabled, KMS rotates the key material annually. The old key material remains available for decryption of existing data. AWS managed keys are rotated every 3 years. Asymmetric CMKs do not support automatic rotation.
Key Policies and IAM Policies
Access to CMKs is governed by a combination of key policies and IAM policies. The key policy is a resource-based policy attached to the CMK. It can grant access to principals (users, roles) and AWS services. IAM policies can also grant access, but only if the key policy explicitly allows it (by setting a default statement that allows IAM policies to control access). This is known as the IAM policy delegation pattern.
Envelope Encryption
Envelope encryption is the process of encrypting data with a data key and then encrypting that data key with a CMK. This provides several benefits:
Performance: Encrypting large data with a CMK would be slow and costly. Data keys are fast symmetric keys.
Security: The CMK never leaves KMS. Data keys are used locally and can be discarded.
Scalability: You can generate multiple data keys from a single CMK.
Encryption Context
KMS supports an encryption context — a set of key-value pairs that are cryptographically bound to the encrypted data. The same encryption context must be provided during decryption. This provides additional security by tying the encryption to specific metadata (e.g., bucket name, object key).
KMS API Operations
Key operations:
- Encrypt: Encrypts up to 1 MB of data directly with a CMK. For larger data, use envelope encryption.
- Decrypt: Decrypts ciphertext that was encrypted under a CMK.
- GenerateDataKey: Returns a plaintext data key and an encrypted copy. Used for envelope encryption.
- GenerateDataKeyWithoutPlaintext: Returns only the encrypted data key. Useful when you don't need the plaintext immediately.
- ReEncrypt: Decrypts ciphertext and re-encrypts it under a different CMK.
Key Management
Creating a CMK: You can create a symmetric or asymmetric CMK. You can choose to import your own key material (BYOK) or have KMS generate it.
Deleting a CMK: Deletion is scheduled with a waiting period (7-30 days, default 30). During this period, the key is disabled and can be canceled. After deletion, data encrypted under that key becomes unrecoverable.
Disabling and Enabling: You can disable a CMK to temporarily prevent its use.
Integration with AWS Services
KMS integrates with many AWS services for server-side encryption:
- S3: SSE-KMS for encrypting objects. You can specify a CMK or use the default aws/s3 key.
- EBS: EBS volumes can be encrypted using KMS. Snapshots and AMIs inherit the encryption.
- RDS: RDS instances can be encrypted at rest using KMS. Read replicas and snapshots are also encrypted.
- DynamoDB: Tables can be encrypted at rest using KMS.
- Lambda: Environment variables can be encrypted with KMS.
- SQS: Queues can be encrypted with KMS.
- SNS: Topics can be encrypted with KMS.
CloudTrail Logging
Every KMS API call is logged in CloudTrail. This includes key creation, deletion, rotation, and usage. You can monitor for unauthorized access or misconfiguration.
Multi-Region Keys
Multi-Region keys are a type of CMK that can be replicated to other AWS regions. They have the same key ID and key material in each region, allowing you to encrypt data in one region and decrypt in another. This is useful for disaster recovery and global applications.
Asymmetric Keys
Asymmetric CMKs have a public and private key pair. The public key can be distributed, while the private key never leaves KMS. Use cases: digital signing (with RSA or ECC) and encryption where the public key is used externally (e.g., for encrypting data that only KMS can decrypt).
Cost Considerations
Customer managed CMK: $1/month per key.
AWS managed CMK: Free.
Usage: $0.03 per 10,000 requests (encrypt/decrypt).
Data key generation: $0.03 per 10,000 requests.
Custom key store: Additional cost for CloudHSM.
Security Best Practices
Use IAM policies and key policies to enforce least privilege.
Enable automatic key rotation for customer managed CMKs.
Use encryption context to bind encryption to specific data.
Monitor CloudTrail for unusual KMS activity.
Avoid using the root user for KMS operations.
Common Pitfalls
Key policy misconfiguration: If the key policy does not allow IAM policies, IAM permissions alone won't work. You must have a statement like:
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"Action": "kms:*",
"Resource": "*"
}Cross-account access: To allow another account to use your CMK, you must specify the external account as a principal in the key policy.
Encryption context mismatch: If you encrypt with context, you must provide the exact same context during decryption, or it will fail.
Interaction with Related Technologies
AWS Certificate Manager (ACM): ACM integrates with KMS to encrypt private keys for SSL/TLS certificates.
AWS CloudHSM: Custom key store uses CloudHSM to store key material.
AWS Secrets Manager: Secrets can be encrypted with KMS.
AWS Systems Manager Parameter Store: SecureString parameters are encrypted with KMS.
Command Line Examples
Create a CMK:
aws kms create-key --description "My key"Enable automatic rotation:
aws kms enable-key-rotation --key-id 1234abcd-12ab-34cd-56ef-1234567890abGenerate a data key:
aws kms generate-data-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --key-spec AES_256Encrypt data:
aws kms encrypt --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --plaintext fileb://plaintext.txt --output text --query CiphertextBlob | base64 --decode > encrypted.txtDecrypt data:
aws kms decrypt --ciphertext-blob fileb://encrypted.txt --output text --query Plaintext | base64 --decode > decrypted.txtCreate a Customer Master Key
First, you create a CMK in the AWS KMS console or via CLI. You choose the key type (symmetric or asymmetric), key usage (encrypt/decrypt or sign/verify), and origin (KMS or imported). You also define a key policy that specifies which principals can use the key. For symmetric keys, KMS generates a 256-bit AES-GCM key material. The CMK is stored in a FIPS 140-2 validated HSM. Once created, the CMK never leaves KMS.
Define Key Policy and IAM Permissions
You attach a key policy to the CMK. The policy must include a statement that allows the AWS account root to delegate access via IAM policies. Without this, IAM policies alone won't grant access. You also create IAM policies for users/roles that need to use the key. The key policy can also grant cross-account access by specifying external account IDs as principals.
Enable Automatic Key Rotation
For customer managed symmetric CMKs, you can enable automatic rotation. When enabled, KMS rotates the key material once per year. The old key material is retained for decryption of existing data. Rotation does not change the key ID or metadata. AWS managed keys are rotated automatically every 3 years. Asymmetric CMKs do not support automatic rotation.
Generate Data Key for Envelope Encryption
To encrypt data, you call GenerateDataKey with the CMK ID. KMS returns a plaintext data key and an encrypted copy of that data key (encrypted under the CMK). The plaintext key is used locally to encrypt your data (e.g., using AES-256). You then discard the plaintext key and store the encrypted data key alongside the ciphertext. This allows you to encrypt arbitrarily large data efficiently.
Decrypt Data Using Encrypted Data Key
To decrypt, you retrieve the encrypted data key and send it to KMS via the Decrypt API. KMS uses the same CMK to decrypt the data key and returns the plaintext data key. You then use the plaintext data key locally to decrypt the ciphertext. The encryption context (if used) must match exactly; otherwise, decryption fails. After decryption, you discard the plaintext data key.
Enterprise Scenario 1: Compliance-Driven Encryption for Healthcare Data
A healthcare company stores patient records in Amazon S3. They must comply with HIPAA, which requires encryption of protected health information (PHI). They create a customer managed CMK with automatic rotation enabled. The key policy restricts usage to a specific IAM role used by their application. They enable S3 default encryption with SSE-KMS, specifying their CMK. For additional security, they use an encryption context with the patient ID and bucket name. CloudTrail logs all KMS operations for auditing. Performance is not an issue because S3 handles envelope encryption transparently. A common misconfiguration is forgetting to allow the S3 service principal in the key policy, causing access denied errors. Another issue is using the same CMK for all buckets, which violates least privilege; they should use separate CMKs for different data classifications.
Enterprise Scenario 2: Multi-Region Disaster Recovery with Encrypted RDS
A financial services company runs an RDS MySQL database in us-east-1 encrypted with a customer managed CMK. For disaster recovery, they need a read replica in us-west-2. They use a multi-region CMK: they create the key in us-east-1 and replicate it to us-west-2. The replica has the same key ID and key material. When they create a cross-region read replica, RDS uses the replicated key to encrypt the replica. If a failover occurs, the application can decrypt data in the secondary region using the same key. They must ensure the key policy in the secondary region grants appropriate permissions. A common mistake is not replicating the key before creating the replica, causing the replica creation to fail. Cost is higher due to the additional CMK in the second region.
Enterprise Scenario 3: Client-Side Encryption for Sensitive Application Data
A SaaS company encrypts sensitive user data before storing it in DynamoDB. They use client-side encryption with the AWS Encryption SDK. The SDK uses KMS to generate data keys and performs envelope encryption locally. They use a CMK with a key policy that restricts usage to the application's IAM role. The encryption context includes the user ID and table name. This ensures that even if the DynamoDB table is compromised, the data remains encrypted. Performance is acceptable because the SDK caches data keys. A common issue is not rotating the CMK regularly; they enable automatic rotation. Another pitfall is using the same encryption context for all records, which reduces security; they should use unique context per record.
What SAA-C03 Tests on KMS and Encryption
The exam objectives (Domain 1.2: Secure Architectures) include designing secure access to AWS resources, which heavily involves KMS for encryption. You should expect questions on: - Envelope encryption: Why it is used and how it works. - Key types: AWS managed vs. customer managed, and when to use each. - Key policies vs. IAM policies: How they interact, especially cross-account access. - Automatic rotation: Which keys support it, and the rotation period. - Encryption context: Its purpose and requirement for decryption. - SSE-KMS vs. SSE-S3 vs. SSE-C: Differences and use cases. - Multi-Region keys: Use cases for disaster recovery.
Common Wrong Answers and Why
"Use SSE-S3 for compliance with external audit requirements" — Wrong because SSE-S3 uses AWS managed keys that you cannot control or audit. The correct answer is SSE-KMS with a customer managed CMK.
"Enable automatic rotation for asymmetric CMKs" — Wrong because only symmetric CMKs support automatic rotation. Candidates confuse key types.
"Grant cross-account access using IAM policies only" — Wrong because cross-account access requires a key policy that specifies the external account. IAM policies are account-specific.
"Encryption context is optional and can be omitted during decryption" — Wrong if used during encryption; the context must match exactly.
Specific Values and Terms That Appear
Rotation period: 1 year for customer managed symmetric CMKs, 3 years for AWS managed keys.
Maximum data size for direct encryption: 1 MB (larger must use envelope encryption).
Key deletion waiting period: 7-30 days, default 30.
FIPS 140-2 Level 2 (some regions Level 3).
AES-256 for symmetric keys.
Edge Cases and Exceptions
Importing key material: You can import your own key material, but automatic rotation is disabled. You must manually rotate by importing new material.
Custom key store: Requires CloudHSM; key material is stored in your HSM, not AWS.
Asymmetric keys: No automatic rotation; used for sign/verify or encrypt/decrypt with public key.
Multi-Region keys: Key ID is the same across regions; replication is manual.
How to Eliminate Wrong Answers
If the question mentions compliance, auditing, or key control, eliminate SSE-S3 and SSE-C. Choose SSE-KMS with customer managed CMK.
If the question involves cross-account access, look for key policy statements with external account IDs.
If the question involves large data, eliminate direct Encrypt API and choose GenerateDataKey.
If the question mentions rotation, check if the key type supports it (symmetric vs. asymmetric).
KMS uses envelope encryption: data is encrypted with a data key, which is then encrypted with a CMK.
Customer managed CMKs cost $1/month and support automatic rotation (yearly).
AWS managed keys are free but cannot be managed or rotated manually.
Key policies are resource-based; IAM policies alone cannot grant cross-account access.
Encryption context is cryptographically bound to ciphertext; it must match during decryption.
Direct Encrypt API is limited to 1 MB; use GenerateDataKey for larger data.
Asymmetric CMKs do not support automatic rotation.
Multi-Region keys have the same key ID across regions for disaster recovery.
Deleting a CMK is irreversible after a waiting period (7-30 days).
CloudTrail logs all KMS API calls for auditing.
These come up on the exam all the time. Here's how to tell them apart.
SSE-S3
Uses AWS managed keys (S3-managed).
No additional cost.
No control over key rotation or policies.
Not suitable for compliance requiring key control.
No encryption context support.
SSE-KMS
Uses AWS KMS (customer managed or AWS managed keys).
Cost: $1/month per customer managed CMK + usage.
Full control: key policies, rotation, auditing.
Suitable for compliance and regulatory requirements.
Supports encryption context for additional security.
Mistake
KMS keys can be exported and used outside of AWS.
Correct
Customer master keys (CMKs) never leave KMS. Only data keys (plaintext) can be exported temporarily for client-side encryption, but they should be discarded after use.
Mistake
AWS managed keys can be viewed and rotated manually.
Correct
AWS managed keys cannot be viewed, managed, or rotated manually. They are automatically rotated every 3 years. You have no control over them.
Mistake
IAM policies alone can grant cross-account access to a CMK.
Correct
Cross-account access requires a key policy that explicitly grants access to the external account. IAM policies are scoped to the same account.
Mistake
You can encrypt data larger than 1 MB directly with the Encrypt API.
Correct
The Encrypt API can only encrypt up to 1 MB of data. For larger data, you must use envelope encryption with GenerateDataKey.
Mistake
Automatic rotation changes the key ID of the CMK.
Correct
Automatic rotation creates new key material but retains the same key ID. The old material is kept for decryption of existing data.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SSE-S3 uses S3-managed keys (AES-256) with no additional cost but no control over keys. SSE-KMS uses AWS KMS, allowing you to use a customer managed CMK (cost $1/month) for more control, auditing, and encryption context. SSE-C lets you provide your own encryption keys; S3 manages encryption but you manage key lifecycle. SSE-C is not FIPS 140-2 compliant.
Yes, by using a multi-region CMK. You create the key in one region and replicate it to others. The replicated keys have the same key ID and key material. This allows encrypting in one region and decrypting in another.
You must modify the key policy to include the external account as a principal. For example: {"Principal": {"AWS": "arn:aws:iam::123456789012:root"}}. Additionally, the external account must have IAM permissions to use the key.
After deletion (after the waiting period), any data encrypted under that key becomes permanently unrecoverable. You should only delete a key if you are certain no data depends on it. You can disable a key instead to prevent further use.
Yes, KMS provides APIs (GenerateDataKey, Encrypt, Decrypt) that can be used for client-side encryption. The AWS Encryption SDK simplifies this by handling envelope encryption and key caching.
Encryption context is a set of key-value pairs that are cryptographically bound to the encrypted data. It must be provided during decryption. It prevents ciphertext from being decrypted if the context is wrong, adding a layer of security. For example, you can use the S3 bucket name and object key as context.
No, automatic rotation is not supported for asymmetric CMKs. You must manually create a new key and update applications to use it. However, you can enable automatic rotation for symmetric CMKs.
You've just covered AWS KMS and Encryption Strategies — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?