1. Aws Kms Generate Strong Key Chains
  2. Aws Kms Generate Strong Key Chains
  3. Aws Kms Custom Key Store

Easily create and control the keys used to encrypt or digitally sign your data

There's nothing within the PCI DSS which would prevent you from using AWS KMS for both the KEK and the DEK. You should ensure you're generating strong keys, the KEK is equivalent strength to the DEK (e.g. Both AES 256-bit), the DEK is encrypted by the KEK and you have separate key custodians for key components. Share improve this answer.

AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

Try AWS Key Management Service

Aws Kms Generate Strong Key Chains

AWS Free Tier includes 20,000 free AWS Key Management Service requests each month.


Fully managed

You control access to your encrypted data by defining permissions to use keys while AWS KMS enforces your permissions and handles the durability and physical security of your keys.

Centralized key management

AWS KMS presents a single control point to manage keys and define policies consistently across integrated AWS services and your own applications. You can easily create, import, rotate, delete, and manage permissions on keys from the AWS Management Console or by using the AWS SDK or CLI.

Learn more >>

Manage encryption for AWS services

AWS KMS is integrated with AWS services to simplify using your keys to encrypt data across your AWS workloads. You choose the level of access control that you need, including the ability to share encrypted resources between accounts and services. KMS logs all use of keys to AWS CloudTrail to give you an independent view of who accessed your encrypted data, including AWS services using them on your behalf.

Learn more >>

Encrypt data in your applications

AWS KMS is integrated with the AWS Encryption SDK to enable you to used KMS-protected data encryption keys to encrypt locally within your applications. Using simple APIs you can also build encryption and key management into your own applications wherever they run.

Learn more >>

Digitally sign data

AWS KMS enables you to perform digital signing operations using asymmetric key pairs to ensure the integrity of your data. Recipients of digitally signed data can verify the signatures whether they have an AWS account or not.

Learn more >>

Low cost

There is no commitment and no upfront charges to use AWS KMS. You only pay US $1/month to store any key that you create. AWS managed keys that are created on your behalf by AWS services are free to store. You are charged per-request when you use or manage your keys beyond the free tier.

Learn more >>


AWS KMS uses hardware security modules (HSMs) that have been validated under FIPS 140-2, or are in the process of being validated, to generate and protect keys. Your keys are only used inside these devices and can never leave them unencrypted. KMS keys are never shared outside the AWS region in which they were created.

Learn more >>


The security and quality controls in AWS KMS have been certified under multiple compliance schemes to simplify your own compliance obligations. AWS KMS provides the option to store your keys in single-tenant HSMs in AWS CloudHSM instances that you control.

Learn more >>

Built-in auditing

AWS KMS is integrated with AWS CloudTrail to record all API requests, including key management actions and usage of your keys. Logging API requests helps you manage risk, meet compliance requirements and conduct forensic analysis.

Learn more >>

Blog posts & articles

Read about AWS Key Management Service security, compliance, and availability.

Learn more

Instantly get access to the AWS Free Tier.

Sign up

Get started building with AWS Key Management Service in the AWS Console.

Sign in

01 Run describe-db-instances command (OSX/Linux/UNIX) to list all RDS database names, available in the selected AWS region:

02 The command output should return each RDS database instance identifier (name):

03 Run again describe-db-instances command (OSX/Linux/UNIX) using the specified instance identifier, to determine if the selected database instance is encrypted or not and which KMS key is currently used (AWS-managed or customer-managed):

04 The command output should reveal the RDS instance encryption status:

  1. If the StorageEncrypted parameter value is set to false, the encryption is not currently enabled:
  2. If the StorageEncrypted parameter value is set to true, the instance encryption is enabled and the KMS key ARN (Amazon Resource Name) used for the encryption/decryption process is available as value for KmsKeyId parameter (highlighted):

Aws Kms Generate Strong Key Chains

05 Now run list-aliases command (OSX/Linux/UNIX) to list all the KMS keys aliases (names) and their ARNs, available in specified region:

06 The command output should return each available KMS key alias, ID and ARN. Now compare each key ID (TargetKeyId parameter value - highlighted) with the KmsKeyId parameter ID value returned at the previous step in order to determine the KMS key type used for the instance encryption. If the AliasName parameter value for the matched ID is alias/aws/rds, the selected instance is encrypted using the AWS default key instead of a KMS customer-managed key (recommended).

Aws Kms Custom Key Store

07 Repeat steps no. 1 – 6 for each RDS instance provisioned in the current region. Change the AWS region by using the --region filter to repeat the process for other regions.

Coments are closed
Scroll to top