KMS and Cloud HSM - Encryption - AWS Certification Cheat Sheet

Let’s get a quick overview of KMS and Cloud HSM from an AWS certification perspective. We will look at important certification questions regarding KMS and Cloud HSM.

You will learn

  • What is KMS?
  • What is Cloud HSM?
  • Why do we need KMS and Cloud HSM?
  • How is KMS different from Cloud HSM?
  • How do you manage keys with KMS and Cloud HSM?

AWS Certification Study Material and Notes - 25 PDF Cheat Sheets

Each cheat sheet contains:

  • FAQs and Tutorials with 5-20 slides
  • Study Material and Notes to quickly review and prepare for certification exam
  • Certification Exam Tips
  • Certification and Interview Scenario Questions

KMS and Cloud HSM

  • How do you generate, store, use and replace your keys?
  • AWS provides two important services - KMS and Cloud HSM
    • Manage your keys
    • Perform encryption and decryption


  • Create and manage cryptographic keys (symmetric and asymmetric)
  • Control their use in your applications and AWS Services
  • Define key usage permissions (including cross account access)
  • Track key usage in AWS CloudTrail (regulations & compliance)
  • Integrates with almost all AWS services that need data encryption
  • Automatically rotate master keys once a year
    • No need to re-encrypt previously encrypted data (versions of master key are maintained)
  • Schedule key deletion to verify if the key is used
    • Mandatory minimum wait period of 7 days (max-30 days)

Server Side Encryption with KMS

  • Create Customer Master Key. Map to AWS service (S3)
  • Steps
    • Data sent to S3
    • S3 receives data keys from KMS
    • S3 encrypts data
    • Stores encrypted data & data key
  • Remember
    • CMK never leaves KMS
    • Encryption of data key - KMS using CMK
    • Encryption of data - AWS Service - Amazon S3 using data key

Envelope Encryption

  • The process KMS uses for encryption is called Envelope Encryption
    • Data is encrypted using data key
    • Data key is encrypted using Master key
    • Master key never leaves KMS
  • KMS encrypts small pieces of data (usually data keys) less than 4 KB

Decryption of data using KMS

  • AWS service (Amazon S3) sends encrypted data key to KMS
  • KMS uses Customer Master Key (CMK) to decrypt and return plain-text data key
  • AWS service (Amazon S3) uses the plain-text data key to perform decryption
  • (TIP) Remove plain-text data key from memory asap
  • (TIP) AWS service needs IAM permissions to use the CMK
  • Remember:
    • (Optional) You can associate a key/value map called encryption context with any cryptographic operation
    • (TIP) If encryption context is different, decryption will NOT succeed


  • Managed (highly available & auto scaling) dedicated single-tenant Hardware Security Module(HSM) for regulatory compliance
    • (Remember) AWS KMS is a multi-tenant service
  • FIPS 140-2 Level 3 compliant
  • AWS CANNOT access your encryption master keys in CloudHSM
    • In KMS, AWS can access your master keys
    • Be ultra safe with your keys when you are using CloudHSM
    • (Recommendation) Use two or more HSMs in separate AZs in a production cluster


  • AWS KMS can use CloudHSM cluster as “custom key store” to store the keys:
    • AWS Services can continue to talk to KMS for data encryption
    • (AND) KMS does the necessary integration with CloudHSM cluster
  • (Best Practice) CloudWatch for monitoring and CloudTrail to track key usage
  • Use cases
    • (Web servers) Offload SSL processing
    • Certificate Authority
    • Digital Rights Management
    • TDE for Oracle databases


Certification - Recommended Reading

Elastic Load Balancer (ELB) vs Network Load Balancer (NLB) - A Difference

Elastic Beanstalk vs Cloudformation vs Opswork vs Codedeploy - A Difference

EBS HDD Storages - A Difference

AWS Shield vs AWS WAF vs AWS Macie - Protect Resources and Data Cheat Sheet

Managing Multiple AWS Accounts - Organizations, Trusted Advisor and more Cheat Sheet

Amazon CloudWatch - Logs, Events, Alarms and Dashboards Cheat Sheet

AWS CloudTrail vs Config vs CloudWatch Cheat Sheet

EBS SSD Storages - A Difference

NAT Gateway vs Instance - A Comparison

AWS Security Groups and Network Access Control List - A Comparison Cheat Sheet

Free Videos - Get Started with AWS Certification

Amazing AWS Certification Courses

Get our amazing courses pursued by thousands of learners