AWS KMS
KMS is the central layer that creates and protects encryption keys and lets other AWS services use them. Its focus is not the data itself but the lifecycle of the keys: creation, permissions, rotation, and audit history.
▶Architecture Diagram
🔗 RelationshipDashed line animations indicate the flow direction of data or requests
If disks, objects, and databases must be encrypted but keys are scattered across files and environment variables, rotation and access auditing quickly turn into manual work. Data may be encrypted, but weak key operations do not keep it protected for long.
When applications each held their own keys in files, rotation, revocation, and auditing were extremely difficult. This is why a central key management layer like KMS, connectable across cloud resources, became necessary.
KMS manages customer managed keys, policies, and grants, and connects other AWS services to use these keys for encryption. Keys are protected with HSM-backed infrastructure, and CloudTrail records who used which key and when so the audit trail stays intact.
IAM and KMS are both core to AWS security, but IAM defines who can perform which actions while KMS defines which keys encrypt and decrypt data. If the issue is access permissions, it is IAM; if it is data encryption, it is KMS.
Well-suited for workloads where encryption-key management and auditability matter, such as object storage, block volumes, relational databases, and application secrets. It is especially useful when compliance requires key-usage history. It is not the layer that decides who is allowed to access which resource.