KMS and Cloud HSM - Encryption - AWS Certification Cheat Sheet

Let’s get a quick overview of KMS and Cloud HSM from an AWS certification perspective. We will look at important certification questions regarding KMS and Cloud HSM.

You will learn

  • What is KMS?
  • What is Cloud HSM?
  • Why do we need KMS and Cloud HSM?
  • How is KMS different from Cloud HSM?
  • How do you manage keys with KMS and Cloud HSM?

KMS and Cloud HSM

  • How do you generate, store, use and replace your keys?
  • AWS provides two important services - KMS and Cloud HSM
    • Manage your keys
    • Perform encryption and decryption


  • Create and manage cryptographic keys (symmetric and asymmetric)
  • Control their use in your applications and AWS Services
  • Define key usage permissions (including cross account access)
  • Track key usage in AWS CloudTrail (regulations & compliance)
  • Integrates with almost all AWS services that need data encryption
  • Automatically rotate master keys once a year
    • No need to re-encrypt previously encrypted data (versions of master key are maintained)
  • Schedule key deletion to verify if the key is used
    • Mandatory minimum wait period of 7 days (max-30 days)

Server Side Encryption with KMS

  • Create Customer Master Key. Map to AWS service (S3)
  • Steps
    • Data sent to S3
    • S3 receives data keys from KMS
    • S3 encrypts data
    • Stores encrypted data & data key
  • Remember
    • CMK never leaves KMS
    • Encryption of data key - KMS using CMK
    • Encryption of data - AWS Service - Amazon S3 using data key

Envelope Encryption

  • The process KMS uses for encryption is called Envelope Encryption
    • Data is encrypted using data key
    • Data key is encrypted using Master key
    • Master key never leaves KMS
  • KMS encrypts small pieces of data (usually data keys) less than 4 KB

Decryption of data using KMS

  • AWS service (Amazon S3) sends encrypted data key to KMS
  • KMS uses Customer Master Key (CMK) to decrypt and return plain-text data key
  • AWS service (Amazon S3) uses the plain-text data key to perform decryption
  • (TIP) Remove plain-text data key from memory asap
  • (TIP) AWS service needs IAM permissions to use the CMK
  • Remember:
    • (Optional) You can associate a key/value map called encryption context with any cryptographic operation
    • (TIP) If encryption context is different, decryption will NOT succeed


  • Managed (highly available & auto scaling) dedicated single-tenant Hardware Security Module(HSM) for regulatory compliance
    • (Remember) AWS KMS is a multi-tenant service
  • FIPS 140-2 Level 3 compliant
  • AWS CANNOT access your encryption master keys in CloudHSM
    • In KMS, AWS can access your master keys
    • Be ultra safe with your keys when you are using CloudHSM
    • (Recommendation) Use two or more HSMs in separate AZs in a production cluster


  • AWS KMS can use CloudHSM cluster as “custom key store” to store the keys:
    • AWS Services can continue to talk to KMS for data encryption
    • (AND) KMS does the necessary integration with CloudHSM cluster
  • (Best Practice) CloudWatch for monitoring and CloudTrail to track key usage
  • Use cases
    • (Web servers) Offload SSL processing
    • Certificate Authority
    • Digital Rights Management
    • TDE for Oracle databases

Certification - Recommended Reading

Cloud Certifications - AWS, Azure and Google Cloud - Top 8 FAQ For Me

Google Cloud For Beginners - How to choose a Database Service?

Teaching Cloud Certifications - Top 6 Learnings

Google Cloud For Beginners - How to choose a Compute Service?

Important Kubernetes Concepts Made Easy

Introduction to Google Cloud - For AWS Professionals

Getting Started with Docker - 5 Easy Steps

GCP PubSub - GCP Certification Cheat Sheet

GCP IAM - GCP Certification Cheat Sheet

GCP App Engine - GCP Certification Cheat Sheet


Congratulations on reading this article!

Wondering what to learn next?


Keep Learning Every Day

Check Out Our Amazing ROADMAPS