100 Days of DevOps — Day 22-Introduction to Key Management System(KMS)

Prashant Lakhera
5 min readMar 4, 2019

Welcome to Day 22 of 100 Days of DevOps, Let continue our journey with terraform and today we are going to create KMS keys using terraform.

What is KMS?

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.



  • KMS stores Customer Master Keys(CMK) which is a logical representation of a key.
  • Key can be generated by KMS or imported.
  • The encrypted data keys are stored with the data
  • CMK never leaves KMS and never leaves a region
  • CMK can encrypt or decrypt data up to 4KB in size.

How KMS Encrypt Data

Reference: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping

  • We start with the plain text and then uses data keys along with an algorithm and come up with encrypted data.
  • Encrypted data is finally stored in a storage that can be anything(eg:EBS, EFS, S3…)
  • KMS then took data key, Encrypt it with a master key along with an encryption algorithm, resulted in it an encrypted data key, that stored alongside with data.

KMS in action

# To access KMSGo to AWS Console --> Security, Identity, & Compliance --> Key Management Service --> Create a key

NOTE: YAY!!!, Now Key Management Service got its a new home but you can still access it via old way i.e

AWS Console --> IAM --> Encryption keys


* Alias: Enter an alias and descrption for the key(eg: Alias: mydemotestkey, similarly Descrption)
* Key material origin: Choose KMS(External: You can bring your own Key(BUOY),CloudHSM(More about it later)


* Adding Tag is Optional but its a good practice


  • Choose the users and roles who can administer this key.
  • This is critical as an administrator have right to delete these keys and after that, your data will become unusable

Step4: Define key usage permissions,select the IAM users and roles that can use the CMK to encrypt and decrypt data with the AWS KMS API

Step5: Review and edit key policy

Key Deletion

  • You can’t delete key immediately, rather then you need to schedule it
  • The waiting period is from 7–30 days, this is to make sure you understand that deleting a key makes all data encrypted under that key unrecoverable

Key Rotation

  • AWS managed CMKs. You cannot manage key rotation for AWS managed CMKs. AWS KMS automatically rotates AWS managed keys every three years (1095 days).
  • When you enable automatic key rotation, AWS KMS rotates the CMK 365 days after the enable date and every 365 days thereafter.

KMS Limits

NOTE: When a request is throttled, AWS KMS returns a ThrottlingExceptionerror

Terraform Code: Most of the code is self-explanatory(using aws_kms_key we are creating kms key and using aws_kms_alias we are just providing user-friendly name to the key, as what I did above on the AWS Console, the same thing I am doing it here using terraform resources)

The new addition to this is Policy and let take a look

  • As this is the resource-based policy, the only Principal/Account who has access to this key is the account with whom this key has been created and in this case root
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
"Action": "kms:*",
"Resource": "*"
  • The root user has full access right to perform any KMS operation(“kms:**”)
  • As you can see above these actions are quite wide open and we generally don’t provide these wide open permission open to our users rather then provide specific sets of actions(usage permission)
"Action": [

NOTE: Key usage permission and Key Admin permission are not the same.

  • Some other arguments which I didn’t cover but you can use in your terraform code
* deletion_window_in_days: Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days.* enable_key_rotation: Specifies whether key_rotation is enabled. Defaults to false.

GitHub Link

Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on DevOps work and post your progress using any of the below medium.




Prashant Lakhera

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP