HomeIdentity Security Encyclopedia › KMS Key

KMS Key

Key Management Service

A KMS (Key Management Service) key is a cryptographic key managed by a cloud key management service — used for encrypting, decrypting, and controlling access to data, typically in AWS, Azure, or GCP.

Cloud Encryption NHI AWS

❓ What is KMS Key?

A KMS (Key Management Service) key is a cryptographic key managed by a cloud key management service — used for encrypting, decrypting, and controlling access to data, typically in AWS, Azure, or GCP.

⚙️ How Does It Work?

KMS keys are created and stored in hardware security modules (HSMs). IAM policies control who and what can use each key. Keys never leave the HSM unencrypted — applications request encryption/decryption operations from the KMS rather than handling keys directly.

📍 Where Is It Used?

AWS KMS, Azure Key Vault, Google Cloud KMS — any cloud workload handling sensitive data requiring encryption with access control.

💡 Real-World Example

An AWS Lambda function needs to decrypt sensitive customer data in S3. Instead of managing an encryption key itself, it uses an AWS KMS key. The IAM role attached to the Lambda has a policy permitting only kms:Decrypt on that specific key — enforcing least privilege for cryptographic operations.

🔗 Related Terms

Cloud Identity Secrets Management AWS IAM Least Privilege Vault
← KerberosLifecycle Management →

Stay Ahead in Identity Security

Get weekly IAM, PAM & IGA insights delivered to your inbox via Identity Pulse.

Subscribe to Identity Pulse →
Scroll to top