AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is designed for managing and controlling cryptographic keys across various AWS workloads. At its core, KMS provides a centralized platform for creating, managing, and using encryption keys, ensuring that data is protected both at rest and in transit.

Technically, KMS leverages a robust architecture that integrates with numerous AWS services, such as Amazon S3, Amazon EBS, Amazon RDS, and more. It supports multiple types of keys, including customer-managed keys, AWS-managed keys, and AWS-owned keys, each with different levels of control and management.

Key operations in KMS are performed using asymmetric key pairs for digital signatures and symmetric keys for encryption. All API requests to KMS must be signed using an access key ID and secret access key, and transmitted over Transport Layer Security (TLS) with cipher suites that support Perfect Forward Secrecy (PFS).

Operationally, KMS requires careful consideration of key policies and IAM permissions. Key policies control access to KMS keys, and each key must have a key policy that defines who can perform which actions on the key. IAM policies can also be used to deny access to KMS keys, but they cannot grant access without corresponding permissions from the key policy.

Limitations include the need for strict access controls and the potential for increased costs, particularly with key rotation and high volumes of API requests. For example, while KMS provides a free tier of 20,000 requests per month, additional requests are charged at $0.03 per 10,000 requests. Key versions are also billed at $1 per month.

In terms of specific technical details, KMS logs all API requests to AWS CloudTrail, allowing for detailed auditing and compliance tracking. The service also supports envelope encryption and requires consistent encryption contexts for encryption and decryption operations to ensure data integrity.