☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS KMS (Key Management Service)/
🔷
AWS KMS - Key Types
🔷

AWS KMS - Key Types

Terminology

  • KMS Keys is the current term replacing Customer Master Keys (CMKs).

1. Symmetric Keys

  • Uses AES-256 encryption.
  • A single key handles both encryption and decryption.
  • Default for most AWS service integrations.
  • The raw key material is never exposed.
  • All cryptographic operations must be done via KMS API.

2. Asymmetric Keys

  • Based on RSA or ECC key pairs.
  • Uses:
    • Public key for encryption or signature verification.
    • Private key for decryption or signing.
  • Public key can be downloaded.
  • Private key remains inaccessible in plaintext.
  • Designed for:
    • External applications needing encryption/signature without calling the KMS API directly.

Use Cases

  • Symmetric → Preferred for AWS-managed encryption across services.
  • Asymmetric → Best for client-side encryption and digital signatures.