About AWS Key Management Service (KMS)
AWS Key Management Service (KMS) enables you to create, manage, and use cryptographic keys in AWS services and your applications. It is a secure and resilient service and integrates with AWS CloudTrail to provide logs of all key usage to help meet your regulatory and compliance needs. Refer to the following URL for more information about AWS KMS: https://docs.aws.amazon.com/kms/index.htmlCustomer-managed keys
Customer-managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants. You can perform the following tasks:- Enable and disable them.
- Rotate their cryptographic material.
- Add tags.
- Create aliases that refer to the KMS keys.
- Schedule the KMS keys for deletion.
- Amazon S3
- The Transparent Data Encryption functionality in Amazon RDS and Amazon DynamoDB
- Amazon Route 53
- AWS Lambda
Key integration benefits
The AWS KMS and KMES Series 3 integration provides the following benefits:| Key provenance | You are the sole owner of your keys, so you can control their location and distribution. |
|---|---|
| Added assurance | Keys created on the KMES and imported into AWS KMS never leave the HSM boundary. Even after they are in AWS KMS, the keys are stored on hardware security modules on the backend. |
| Centralized key management | You can manage your keys and access policies from a single location and user interface, whether the data they protect resides in the cloud or on your premises. |
| Audit compliance | Many audits require you to escrow keys outside of the cloud provider. You can do this through this integration. |
Integration overview
To integrate KMES Series 3 with AWS Cloud Key Management, you must perform the following tasks:- Create communication credentials.
- Create a customer-managed key in AWS-KMS.
- Create and push keys from KMES to AWS KMS.