KMS
What
KMS stands for Key Management Service
Some Info
- Able to audit key use in cloudtrail
- Charged by API call and management fee.
Key Type
- Manager
- AWS Managed Keys -> AWS Managed, Free
- Customer Managed Keys -> Customer Managed, $1 per month
- Customer Managed Keys Imported -> Customer Managed, $1 per month
- Encyption
- Symmetrc (AES-256)
- Asymmtric (RSA/ECC)
Key Policy
- Specify who can access the keys. Useful for cross account architecture.
Auto Rotation
- AWS managed keys always have auto rotate on, with 1 year interval
- Customer managed keys has to open auto rotation manually, with 1 year interval
- Customer Imported Keys/CloudHSM cannot auto rotate.