It’s a method used to create and manage cryptographic keys with several AWS services. AWS Key Management Service uses hardware security modules to protect the security of keys. This enables to create, delete and control keys that encrypt data stored in AWS databases and products. This key is accessed through AWS Identity & Access Management (IAM) by selecting Encryption keys either/or through the command line or interface.
Benefit of AWS KMS
The primary benefit of AWS KMS is the centralized encryption control that enables you to create keys using policies and logging in to different services. KMS uses the envelope encryption method which is the practice of encrypting plaintext data with a data key and then encrypting the data key under another key.
Customer Master Keys
To control access to your customer master keys (CMKs) in AWS KMS, you can use AWS Identity and Access Management (IAM) policies in combination with key policies. The CMK contains metadata, like the key ID, created date, description, and key state. It is a logical representation of a master key. The CMK also contains the key material used to encrypt and decrypt data. When you create a CMK, you determine who can use and manage that CMK. You can find these permissions in the document called the key policy.
For a customer-managed CMK, this key policy is used to add, remove, or change permissions at any time. But, the key policy cannot edit for an AWS managed CMK. AWS KMS supports three types of CMKs. The support types are customer-managed CMKs, AWS managed CMKs, and AWS owned CMKs. In this, cryptographic operations are API operations that use CMKs to protect data. You must call AWS KMS to use a CMK in cryptographic operations because CMKs remain within AWS Key Management Service.
Check out: AWS Security Group Rules