AWS-KMS

• KMS stands for Key Management Service. 

• It is a managed service by AWS that makes easy to create and control the encryption keys, which further used to encrypt data.

• It provides centralized key management.

• It provides integration with other AWS services.

• It works with CloudTrail to provide logs of API calls made to or by KMS.

• It is secure as AWS stores these keys using FIPS 140-2 validated hardware modules.

• It is low cost and fully compliant service.

• It allows us to centrally manage and securely store our encryption keys. 

• We can set usage policies on these keys that determine which users can use them to encrypt and decrypt data.

• AWS KMS is a managed service that enables to easily create & control the keys used for cryptographic operations.

• Automatic key rotation is not supported for asymmetric CMKs.

• Users cannot use the custom key store functionality with asymmetric keys nor can they import asymmetric keys into KMS.

• It supports symmetric and asymmetric CMKs.

• It provides symmetric data keys and asymmetric data key pairs that are designed to be used for client-side cryptography outside of KMS.

• It prices are unaffected by the use of a custom key store.

• It FIPS 140-2 validated HTTPS endpoints are powered by the OpenSSL FIPS Object Module.

• The symmetric data keys can be exported using either the 'GenerateDataKey' API or the 'GenerateDataKeyWithoutPlaintext' API.

• Users must use AWS KMS APIs directly or through the AWS SDK to integrate signing & encryption capabilities into their applications.

• It is integrated with AWS CloudTrail to provide logs of all key usage to help regulatory & compliance needs.