Key Management Service
A KMS (Key Management Service) key is a cryptographic key managed by a cloud key management service — used for encrypting, decrypting, and controlling access to data, typically in AWS, Azure, or GCP.
⚙️ How Does It Work?
KMS keys are created and stored in hardware security modules (HSMs). IAM policies control who and what can use each key. Keys never leave the HSM unencrypted — applications request encryption/decryption operations from the KMS rather than handling keys directly.
📍 Where Is It Used?
AWS KMS, Azure Key Vault, Google Cloud KMS — any cloud workload handling sensitive data requiring encryption with access control.
💡 Real-World Example
An AWS Lambda function needs to decrypt sensitive customer data in S3. Instead of managing an encryption key itself, it uses an AWS KMS key. The IAM role attached to the Lambda has a policy permitting only kms:Decrypt on that specific key — enforcing least privilege for cryptographic operations.
🔗 Related Terms
Stay Ahead in Identity Security
Get weekly IAM, PAM & IGA insights via Identity Pulse.
Subscribe to Identity Pulse →