AWS KMS Encryption: Solutions Architect Study Guide

Q: What is the difference between customer-managed and AWS-managed KMS keys?

Customer-managed CMKs give you full control over the encryption key. You control key rotation policy, key policy modifications, and the ability to disable or schedule deletion. You pay per API call for customer-managed keys. AWS-managed keys are created and managed by AWS automatically for specific service integrations like S3 or RDS. They rotate automatically every 90 days, but you cannot manage the key policy or disable them directly. AWS provides AWS-managed keys at no additional cost. For the Solutions Architect exam, use customer-managed keys when you need explicit control, compliance audit trails, or cross-account access. Use AWS-managed keys for convenience when service integration is sufficient for your requirements.

Q: How does envelope encryption work in AWS KMS?

Envelope encryption is a two-tier encryption approach. A customer master key (CMK) encrypts a data key, which then encrypts your actual data. When you request encryption, KMS generates or retrieves a data key encrypted under your CMK. This encrypted data key is stored alongside your encrypted data. To decrypt, you send both the encrypted data key and encrypted data to KMS. KMS decrypts the data key using your CMK, then your application decrypts the data using the plaintext data key. This approach is more efficient than directly encrypting all data with the CMK because KMS doesn't process every encryption operation for large volumes. Envelope encryption also improves performance through data key caching, where data keys can be reused within a cache period. Understanding this mechanism is essential for comprehending how KMS encrypts large datasets efficiently.

Q: What are key policies and why are they important for cross-account encryption?

Key policies are resource-based policies that define who can perform which actions on a KMS key. Every CMK has a key policy (a JSON document similar to IAM policies). Key policies determine permissions for encryption, decryption, key management, and policy modifications. For cross-account scenarios, key policies are essential. They allow you to grant permissions to IAM roles or principals in other AWS accounts. To enable cross-account encryption, grant the external account's IAM role permission to use the CMK through the key policy. Then ensure that role has appropriate IAM permissions in its own account. Unlike IAM policies alone, key policies cannot be bypassed. They provide a critical access control layer. Understanding how to craft secure key policies following the principle of least privilege while supporting necessary use cases is vital for Solutions Architect certification.

Q: How should I choose between KMS encryption and application-level encryption?

This decision depends on your specific requirements. KMS encryption leverages AWS infrastructure, integrates seamlessly with AWS services, provides audit trails through CloudTrail, and allows centralized key management. However, it introduces API call overhead and costs per encryption operation. Application-level encryption gives you complete control over encryption logic and keys. But you must manage cryptographic libraries, handle encryption failures, and store keys securely. For most AWS Solutions Architect scenarios, KMS is preferred. AWS services are optimized for it, it meets compliance requirements, and operational burden is minimal. Use application-level encryption when you need encryption before data leaves your application, for data passing through multiple systems outside AWS, or when you require specific cryptographic algorithms KMS doesn't support. The exam expects you to understand these tradeoffs and select appropriate approaches.

By FluentFlash Research Team·Updated 2026-04-30

AWS Key Management Service (KMS) is essential for the AWS Solutions Architect certification exam. You need to understand encryption strategies, cryptographic key management, key rotation, and how KMS integrates across AWS services.

This guide covers core concepts tested on the exam: envelope encryption, customer-managed versus AWS-managed keys, key policies for cross-account access, and encryption at rest across services. Flashcards work exceptionally well for KMS because they help you rapidly recall terminology, compare key concepts, and master decision trees for choosing the right encryption solution.

Key Takeaways

•Envelope encryption uses CMKs to encrypt data keys, which encrypt actual data, enabling efficient encryption of large datasets while maintaining key security
•Customer-managed CMKs provide full control and compliance audit trails but cost per API call; AWS-managed keys offer convenience at no cost with limited control
•Key policies are resource-based policies essential for access control and cross-account encryption, requiring careful design balancing security with operational needs
•Automatic key rotation on customer-managed CMKs (365 days) and AWS-managed keys (90 days) is transparent and preserves all historical key material for decrypting existing data
•KMS integrates with S3, EBS, RDS, and DynamoDB for encryption at rest; understand tradeoffs between KMS encryption and service-level encryption options
•Key rotation, deletion periods, CloudTrail audit trails, and regional limitations are critical for compliance and disaster recovery architecture design

Core KMS Concepts and Architecture

AWS Key Management Service (KMS) is a managed service that creates and controls customer master keys (CMKs) used to encrypt your data. KMS integrates with most AWS services and forms the foundation of encryption across your infrastructure. The service uses hardware security modules (HSMs) to protect cryptographic keys.

How KMS Keys Work

You work with two types of keys in KMS: customer master keys (CMKs) and data keys. CMKs encrypt data keys, which then encrypt your actual data. This approach, called envelope encryption, keeps your CMK from directly encrypting large datasets. Your CMK never needs to process massive encryption operations.

Regional Architecture and Automatic Rotation

KMS operates on a regional basis. Keys are stored and managed within specific AWS regions. The service automatically rotates customer-managed CMKs annually without requiring manual data reencryption. KMS maintains a complete audit trail through CloudTrail for all key usage, which is critical for compliance.

Key Types and Use Cases

You can create customer-managed CMKs or use AWS-managed keys that AWS creates automatically. Customer-managed keys give you full control over rotation policies, key policies, and costs per API call. AWS-managed keys require no management but offer less control. Understanding when to use each type and their cost implications is crucial for the exam.

Access Control with Key Policies and Grants

KMS supports key policies (resource-based policies) and grants (temporary permissions) for granular access control. Key policies determine who can perform encryption, decryption, and key management operations. The ability to design secure encryption architectures, understand KMS limitations, and select appropriate strategies is tested extensively.

Key Policies, Grants, and Access Control

Key policies are resource-based JSON documents that define who can perform which actions on a KMS key. Every CMK has a key policy. These policies determine permissions for operations like encrypt, decrypt, generate data key, and key management actions.

Key Policies vs IAM Policies

Unlike IAM policies alone, key policies can explicitly deny access and grant permissions across AWS accounts. This makes them essential for multi-account encryption strategies. Key policies also determine whether the account owner can modify the policy itself. A key policy always includes the account root principal with appropriate permissions.

Using Grants for Temporary Access

Grants provide flexible alternatives to key policies for temporary or programmatic access. Grants allow you to grant permissions to AWS principals for specific operations on a CMK with optional constraints. Grants are ideal for short-term access patterns. Key policies suit more permanent foundational access needs.

Cross-Account Encryption Design

A common exam scenario involves granting an IAM role in one AWS account permission to use a CMK in another account. You must modify the CMK's key policy to grant the external account access. Then ensure that role has appropriate IAM permissions in its own account. Both layers are required.

Access Control Best Practices

Follow the principle of least privilege when crafting key policies. Understanding when to use each mechanism, how they interact with IAM policies, and how to troubleshoot access denied errors is critical for certification preparation.

Encryption at Rest and in Transit Integration

KMS integrates seamlessly with major AWS services for encryption at rest. You can specify which CMK encrypts each object or resource. This provides customer control over encryption keys and generates audit trails.

Services Supporting KMS Encryption

Amazon S3 uses KMS-managed keys (SSE-KMS) to encrypt objects
EBS volumes encrypt transparently using KMS with excellent performance
RDS databases support KMS encryption for storage, backups, and read replicas
DynamoDB, ElastiCache, and other services also integrate with KMS

Comparing KMS and AWS-Managed Encryption

KMS encryption provides customer control, better compliance capabilities through audit trails, and the ability to implement custom key rotation policies. However, it introduces slight latency compared to AWS-managed encryption and costs per API call. AWS-managed encryption requires no key management but offers less control.

Encryption in Transit Considerations

KMS relates indirectly to encryption in transit. Many AWS services support TLS encryption by default for data in transit. KMS can manage keys used for TLS certificates and VPN connections. Understanding when to require encrypted connections and how to enforce encryption policies through service control policies (SCPs) matters for comprehensive security design.

Making Encryption Decisions

Architecture decisions depend on data sensitivity, compliance requirements, performance needs, and audit requirements. You must decide whether to encrypt specific data types, which CMKs to use, and how to manage key access across services.

Key Rotation, Backup, and Disaster Recovery

Key rotation is a critical security practice that minimizes the impact of potential key compromise. When you enable automatic rotation on a CMK, AWS rotates the key every 365 days automatically.

How Automatic Rotation Works

During rotation, the new key material becomes active for encrypting new data. Previous key material is retained indefinitely to decrypt existing data. The rotation process is completely transparent. You do not need to manually reencrypt data to complete rotation. AWS-managed keys rotate automatically every 90 days.

Manual Rotation and Key Aliases

Manual rotation is possible by creating a new key and updating applications to reference the alias to the new key. This approach requires more operational effort but gives you explicit control over timing. Understanding the implications of rotation for your systems is important.

Key Deletion and Recovery Windows

For disaster recovery, KMS keys don't require explicit backup because AWS secures the key material. If you need to recover from accidental deletion, enable a waiting period before deletion completes. The default is 7 days, with options from 7 to 30 days. During this period, the key is in pending deletion state and cannot encrypt or decrypt data.

Compliance and Monitoring

Automatic key rotation is essential in compliance frameworks like HIPAA, PCI-DSS, and SOC 2. Monitor key rotation status through CloudTrail logs. Design systems that tolerate brief key rotation events without impacting availability. Understanding key lifecycle and deletion implications for dependent systems is critical.

Common Exam Scenarios and Design Decisions

Solutions Architect exam questions test your ability to select appropriate KMS configurations for specific scenarios. You must quickly identify which encryption approach meets compliance requirements while minimizing cost and complexity.

Compliance and Encryption Selection

A typical scenario presents a compliance requirement like HIPAA and asks which encryption approach satisfies it while optimizing cost. Identify when customer-managed KMS encryption is necessary versus when simple AWS-managed encryption suffices. Understand the associated costs and complexity tradeoffs.

Multi-Account Architecture Challenges

Multi-account architectures frequently appear in exam questions. You must design CMK policies that allow cross-account encryption while maintaining security. Balance access requirements with the principle of least privilege.

KMS Versus Other Encryption Options

Choose between KMS, S3 bucket encryption, and application-level encryption. KMS provides strong key management but introduces API call overhead. Application-level encryption provides control but requires managing keys outside AWS. Understand these tradeoffs deeply.

Performance and Throttling Considerations

Performance questions test your understanding of KMS throttling limits and envelope encryption impact. High-throughput scenarios might require data key caching to minimize KMS API calls. Design efficient encryption architectures that meet both security and performance needs.

Disaster Recovery and Regional Limitations

Disaster recovery scenarios test whether encrypted data remains accessible after key rotation. Understand how cross-region replication of KMS-encrypted data works and recognize that KMS is a regional service. Know the implications for recovery architectures.

Complex Policy and Context-Specific Questions

Key policy questions require interpreting complex JSON and identifying permission gaps. The exam tests encryption in specific contexts: S3 objects with customer-provided keys versus KMS keys, RDS encryption implications for backups, and secure parameter storage using Systems Manager Parameter Store or Secrets Manager with KMS. Success requires understanding decision-making frameworks and tradeoffs.

Start Studying AWS KMS Encryption

Master KMS concepts, key policies, encryption patterns, and design decisions with interactive flashcards tailored for AWS Solutions Architect certification. Study efficiently with spaced repetition and targeted questions covering real exam scenarios.

Create Free Flashcards

Frequently Asked Questions

What is the difference between customer-managed and AWS-managed KMS keys?

Customer-managed CMKs give you full control over the encryption key. You control key rotation policy, key policy modifications, and the ability to disable or schedule deletion. You pay per API call for customer-managed keys.

AWS-managed keys are created and managed by AWS automatically for specific service integrations like S3 or RDS. They rotate automatically every 90 days, but you cannot manage the key policy or disable them directly. AWS provides AWS-managed keys at no additional cost.

For the Solutions Architect exam, use customer-managed keys when you need explicit control, compliance audit trails, or cross-account access. Use AWS-managed keys for convenience when service integration is sufficient for your requirements.

How does envelope encryption work in AWS KMS?

Envelope encryption is a two-tier encryption approach. A customer master key (CMK) encrypts a data key, which then encrypts your actual data.

When you request encryption, KMS generates or retrieves a data key encrypted under your CMK. This encrypted data key is stored alongside your encrypted data. To decrypt, you send both the encrypted data key and encrypted data to KMS. KMS decrypts the data key using your CMK, then your application decrypts the data using the plaintext data key.

This approach is more efficient than directly encrypting all data with the CMK because KMS doesn't process every encryption operation for large volumes. Envelope encryption also improves performance through data key caching, where data keys can be reused within a cache period. Understanding this mechanism is essential for comprehending how KMS encrypts large datasets efficiently.

What are key policies and why are they important for cross-account encryption?

Key policies are resource-based policies that define who can perform which actions on a KMS key. Every CMK has a key policy (a JSON document similar to IAM policies). Key policies determine permissions for encryption, decryption, key management, and policy modifications.

For cross-account scenarios, key policies are essential. They allow you to grant permissions to IAM roles or principals in other AWS accounts. To enable cross-account encryption, grant the external account's IAM role permission to use the CMK through the key policy. Then ensure that role has appropriate IAM permissions in its own account.

Unlike IAM policies alone, key policies cannot be bypassed. They provide a critical access control layer. Understanding how to craft secure key policies following the principle of least privilege while supporting necessary use cases is vital for Solutions Architect certification.

How should I choose between KMS encryption and application-level encryption?

This decision depends on your specific requirements. KMS encryption leverages AWS infrastructure, integrates seamlessly with AWS services, provides audit trails through CloudTrail, and allows centralized key management. However, it introduces API call overhead and costs per encryption operation.

Application-level encryption gives you complete control over encryption logic and keys. But you must manage cryptographic libraries, handle encryption failures, and store keys securely.

For most AWS Solutions Architect scenarios, KMS is preferred. AWS services are optimized for it, it meets compliance requirements, and operational burden is minimal. Use application-level encryption when you need encryption before data leaves your application, for data passing through multiple systems outside AWS, or when you require specific cryptographic algorithms KMS doesn't support. The exam expects you to understand these tradeoffs and select appropriate approaches.

What happens to encrypted data when a KMS key is rotated?

When automatic key rotation occurs on a CMK, new data encrypted after rotation uses the new key material. Existing encrypted data remains intact because KMS retains all previous key material. The rotation process is completely transparent.

You don't need to manually reencrypt data. To decrypt existing data, KMS automatically uses the correct key material based on metadata stored with the encrypted data. This means key rotation provides security benefits against key compromise without requiring data migration.

Key rotation does not reduce storage overhead for old key material, which AWS retains indefinitely. Understanding that rotation is transparent and doesn't impact access to existing data is important for designing systems where rotation must occur without downtime. The exam may test whether you understand that all historical key material is preserved and why this is necessary for decrypting historical data.