Weather data is stored in the cloud or on-premises, its security is of paramount importance for a company. Encryption is one of the most powerful data security solutions which will protect data from unauthorized access, destruction and disclosure. In this tutorial, let’s discuss the AWS Key Management Service (KMS)- the most efficient data security solution from Amazon for applications and services running in the cloud as well as on-premise. 

Interested in Mastering AWS Course? Enrol now for a FREE demo on AWS Certification Training Course

In this AWS Key Management Service blog, you will learn below topics:

What is AWS KMS?

AWS Key Management Service (KMS) is a product of Amazon that helps administrators to create, control and delete keys, which encrypt the data stored in AWS products and databases. You can access AWS KMS within AWS Identity and Access Management (IAM) by selecting the section- “Encryption Keys” or using the software. It offers the user with centralized control over encryption keys to define the user data. The user will produce, rotate, import, disable, outline, and delete usage policies for, and audit how to use the secret writing keys to encode the user information.

If you want to know more about AWS: Visit here to learn AWS

Functions of AWS KMS:

The functions of AWS KMS include both the management functions and the Cryptographic functions as listed below:

Management functions of AWS KMS:

  1. With the help of AWS KMS, users can describe, create and also provide a list of master keys 
  2. One can enable or disable the master keys 
  3. There is also a possibility of creating, accessing the various control policies and viewing grants for your master keys 
  4. Even in a master key, one can easily enable or disable the automatic rotation of the cryptographic materials. 
  5. There is also a possibility of importing cryptographic materials into the master keys of AWS KMS 
  6. Users can also tag the respective master keys for identification with ease, tracking, and categorization 
  7. Users can also create, delete, update or even list all the aliases, mostly associated with the respective master keys
  8. Users can also delete the master keys to have notification of complete key lifecycle

Cryptographic Functions of AWS KMS:

  • One can easily encrypt, re-encrypt or else decrypt the data in a respective manner 
  • Users can also export various services to generate the data encryption keys either the services are provided in the plain text format or an encrypted form in the presence of any master key. 
  • Generating random numbers for applications of various cryptographic functions

How does AWS KMS Works?

AWS Key Management Service is mostly integrated with other AWS CloudTrail in order to deliver the encryption or provide various services with the help of key usage logs to get services done such as regulatory, auditing and compliance needs. 

AWS KMS allows you to store and manage your keys securely. The stored keys are called CMKs (Customer Master Keys). The government-approved Hardware Security Modules (HSMs) will generate and protect these keys and allows you to use only in plaintext in the modules. You can directly submit data to encrypt or decrypt KMS using master keys. You can set specific usage policies on them to determine which users can use them for encrypting or decrypting data.

Related blog: AWS vs Azure

Getting Started with AWS KMS

Let’s get started with KMS with a code example that demonstrates the core functions used in the AWS-KMS boilerplate repository. Let’s assume that we have an existing AWS account.

Step 1: Create a Customer Master Key (CMK)

The first step is creating a CMK, and this step can be skipped if you already have a setup to use. You can retrieve the available list of master keys using the following command:

$ aws kms list-keys 
"KeyArn": "arn:aws:kms:region:************:key/********-****-****-****-************",
    "KeyId": "********-****-****-****-************"

Step2: Create Key primary (optional)

Subscribe to our youtube channel to get new updates..!

Using generate-data-key command and the new CMK, generate new data key that returns an encryption key to use later in local data encryption. Now, using the key-spec parameter and AES algorithm, generate a 256 bit long symmetrical encryption key.

$ aws kms create-primary
  --secondary-name 'primary/kms-mindmajix tutorial' 
  --target-key-id '********-****-****-****-************'

Step 3: Create a data key

Using the command generate-data-key and our new CMK, generate a data key that returns an encryption key to use later in local data encryption. Now using the key-spec parameter and AES algorithm, generate a 256-bit symmetric encryption key.

$ aws kms generate-data-key 
  --key-id primary/kms-mindmajix tutorial 
  --key-spec 'AES_256' > './.key/data_key.json'

Note that the CiphertextBlob and the Plaintext properties return base64 encoded and the KeyId need not to refer the data key that is generated but to the CMK.

It is essential to note that KMS does not hold the Data Key records on the servers. Therefore, you should manage these keys by yourself.

  "Plaintext": "4XY5FgHP1JyH7SkNYjY6C6gpZlWLbG0jkw06dVu0B4I=",

"CiphertextBlob": "AQIDAHiP2nl/OYfqakZzv1qo7ir0iHai3O1Utd4q71Louy78XgGOk8YwfNOJo77u6nxAye/RAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMWfzIpfhT/iCHuZBdAgEQgDvFMB7ItgfGhdDdKZj6dMpzdiyYLuGKXNK2WpCrl1wi0S8uCZdtKpllJMNlhLaRVeX0ghxMqD+JK8gSfQ=="

Step 4: Storing the CipherTextBlob

Next step is extracting CipherTextBlob from the data_key.json base 64 decodes and store it in your respiratory. The toolkit OpenSSL will provide a base64 implementation that we use at the time of decoding.

The blob consists of meta-data about which CMK was used at the time of data key creation. It allows you to retrieve the key of plaintext later on decryption.

$ sed -nr 's/^.*"CiphertextBlob":s*"(.*?)".*$/1/p' './.key/data_key.json' 
  | openssl base64 -d > './.key/ciphertext_blob_decoded'

Step 5: Encrypting the data

Before moving to data encryption to extract the data, you need to base64 decode the text key of data_key.json since we made with the CipherTextBlob in the previous step.

$ sed -nr 's/^.*"Plaintext":s*"(.*?)".*$/1/p' './.key/data_key.json' 
  | openssl base64 -d > './.key/plaintext_key_decoded'

Since we’ve stored both the decoded cypher and the plaintext key in the .key/directory, now we can get out of the data_key .json files as they are no longer required.

 Note that we are using the shred command instead of remove (rm) command to securely delete the key file.

$ shred 
  --zero './.key/data_key.json'

Finally, we can start encrypting data using AES and OpenSSL. The following commands will help to do so.

$ OpenSSL enc -e -aes256 
  -kfile './.key/plaintext_key_decoded' 
  -in '.decrypted/database.json' 
  -out '.encrypted/database.json'

Now, we have to delete plaintext key; make sure that base64 decode CipherTextBlob are correctly stored as the blob is the only way to recover and decrypt the data stored.

$ shred 
  --zero './.key/plaintext_key_decoded'

Step 6: Decrypting the data

The data decryption is the most critical part. We have the deleted plaintext key after encryption, it is required to restore it first through leveraging the command AWS KMS decrypt.

Note that the responses from the command “decrypt” return JSON objects with the CMK Id. The query parameter enables us to return only the property which we are interested in, and which are error-prone and quite messy.

$ aws kms decrypt 
  --ciphertext-blob 'fileb://./.key/ciphertext_blob_decoded' 
  --query 'Plaintext' 
  --output text | openssl base64 -d -out './.key/plaintext_key_decoded'

Finally, pass the plaintext key to OpenSSL toolkit where we can get our encrypted example data to get decrypted.

$ openssl enc -d -aes256 
  -kfile './.key/plaintext_key_decoded' 
  -in '.encrypted/database.json' 
  -out '.decrypted/database.json'

Step 7: Log & audit CMK activity

AWS KMS is mostly integrated with other AWS CloudTrail to deliver the encryption or provide various services with the help of key usage logs to get services done such as regulatory, auditing and compliance needs. Using CloudTrails, you can determine the IP address of the code from which the request was made, when it was made, who made the request, and so on.

Related Blog: AWS Athena

Benefits of AWS KMS

AWS KMS provides you with centralized control over the encryption keys to protect your data. It empowers developers to attach encryption functionality easily to their application code directly using encrypt and decrypt service APIs or through integrating with the AWS Encryption SDK. 

Here is the list of the main benefits of AWS KMS:

  1. It is fully managed: This AWS Key Management Service is considered as the fully managed service, which mainly helps to focus on encryption needs of various applications in the technology. It also helps to deliver physical security, availability and also maintaining of different hardware components in a full-fledged manner.
  2. Centralized Key Management: AWS KMS will provide you with all the rights of the centralized control of the respective encryption keys. It will show the complete details of the key usage in the organization to boost revenues. Users can also create, rotate keys and import keys along with the correct definition usage of the policies. Users can also audit the usage from the AWS Management Console or with the help of CLI or else AWS SDK.
  3. Integrated with AWS Service: In a bid to ensure the smooth process to encrypt data that you store with the help of some services, this AWS KMS is also integrated with different other AWS Services. 
  4. Encryption for all your applications: AWS KMS will help you to manage encryption keys effectively and will also be used to store the applications without revealing their storage details.
  5. Built-in Auditing: AWS Key Management Service will make sure to work with AWS CloudTrail to ensure API calls logs ready to or else by KMS. Users can also know the details of the keys that are accessed or not and the person who accessed them with the help of these logs that meet compliance and regulatory requirements.
  6. Low-cost: In your respective account, there will be no particular charges for the default keys. The extra cost will only be paid for the master keys which you will use for key usage or else for creation purpose.
  7.  Security: Amazon Web Services KMS make sure to deliver or give the most secure place to store or else to use the encryption key. The key, such as FIPS 140-2, will be used for the security modules to store the encrypted keys that you will be used to save a substantial amount of data.
  8. Compliance: The quality controls and the security modules which are presented in KMS have been approved and also given a certification in which they are accomplished with a compliance scheme.


Now, you have got a grasp of the primary theories behind KMS and also implementing encryption mechanisms for the project. It is a critical thing controlling the security breaches occurring all the time. KMS offers data scrambling, so only the owner of the key or password can read it. This protects data confidentiality so that if an unauthorized person gained access to the service or the storage device, they would be unable to see the data. It also protects the data integrity so that it cannot tamper without owner’s knowledge.

If you interested to learn AWS and build a career in Cloud Computing?  Then check out our AWS Certification Training Course at your near Cities

AWS Online Training in Ahmedabad, AWS Online Training in Bangalore  AWS Online Training in ChennaiAWS Online Training in Delhi, AWS Online Training in Dallas, AWS Online Training in Hyderabad, AWS Online Training in London, AWS Online Training in Mumbai, AWS Online Training in NewYork, AWS online training in Pune

These courses are incorporated with Live instructor-led training, Industry Use cases, and hands-on live projects. This training program will make you an expert in AWS and help you to achieve your dream job.