AWS Key Management Service Reviews

AWS Key Management Service's major use case is to encrypt data, specifically encrypting data at rest. We have two options: either we can go with AWS-managed keys or we can use customer-managed keys, depending on the compliance of the organization. I have a student who is in a bank, and they have a compliance requirement that they should have their own key and should not be visible to AWS. We can create a master key, which generates a data key—one encrypted and one unencrypted. The unencrypted key is stored in RAM temporarily, encrypting data in the EBS volume or wherever it lies, after which it's deleted. To decrypt, we use the KMS encrypted data object key, which goes back to AWS Key Management Service to decrypt itself and our data. AWS Key Management Service key remains in the protective vault of AWS, and all we are doing is generating the data key to encrypt and decrypt our data. Thus, encryption and decryption at rest is the basic functionality provided by AWS Key Management Service.

I see benefits from these integrations because that's the beauty of microservices. When using RDS, we just create the key first, and when creating RDS, if we want encryption in storage, we select AWS Key Management Service. When using S3, instead of AWS-managed keys, we can choose to go with our customer-managed key and select that AWS Key Management Service from there. In fact, we can integrate AWS Key Management Service with any storage in any place in AWS.

I am working with this feature in my organization. We mostly use symmetric encryption, while asymmetric is primarily used in cases of SSL. I know that AWS provides both symmetric and asymmetric options in AWS Key Management Service. However, the asymmetric option is mostly relevant for web applications that need to encrypt data in transit. In this case, we have a public key and a private key, where the private key is used to decrypt the data, and the public key is used to encrypt it, making it another use case in our organization.

I assess audit logging through AWS CloudTrail as having all our event history and all the API calls made to AWS. We can search using filters, but it's a bit messy. To improve this, we can create a trail for specific services and store the logs in an S3 bucket. From there, we can export it to CloudWatch or anywhere we want for analysis.

AWS Key Management Service is used to encrypt data at rest, and we have gone through AWS Key Management Service in detail.

I leverage the bring your own key feature from AWS Key Management Service. Customers can upload their keys through either the CLI or the portal.

Automatic key rotation feature significantly helps with compliance. Admins just have to specify how often they require rotation, with a minimum of seven days, up to whatever frequency they need; 365 days is the standard, or they can opt for more frequent rotation. Automatic rotation is one of the very cool features.

The architecture is very beautiful and good for AWS Key Management Service, so there isn't much to change.

The area related to the issue I faced was about multi-region keys; it was during exam preparation for AWS. We got deep into it, but since it was a while ago, I can't recall the exact details.

I have been working with AWS Key Management Service for around two years.

I would rate the stability as a 10. I don't think it's a heavy service, and there shouldn't be any kind of instability. AWS possesses high availability in every service, so I would also rate it a 10.

I rate the scalability of AWS Key Management Service as 10 out of 10.

There is no paid technical support; only some free support is available along with chat options. However, technical support is generally not available for small and medium enterprises that can't afford it.

The only problem that I once faced was connected with multi-region keys. I would rate this review as 10 out of 10.