- Key Management Service - a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
- Encryption keys are regional
- Uses multitenant hardware
- takes 7-30 days to encrypt keys
- alias (name)
- creation date
- description
- key state
- key material (either own key material or KMS generated)
Can never export CMK
- If you need to export your keys, need to use cloud HSM
- create alias and description
- choose material optional
- define key administrative permissions
- which user/role can administer (but not use) the key
- define key usage permissions
- which user/role can use key to encrypt/decrypt data
aws kms encriptaws kms decryptaws kms re-encrypt- will decrypt and re-encrypt it immediately and destroy plain textaws kms enable-key-rotation
- The process of encrypting your envelope key (ie. the key you use to encrypt your data)
- Envelope key sometimes called data key
- To unencrypt, take master key and do encryption algorithm on encrypted data key and turn into plain text, then use plain text data key to decrypt data
