AWS KMS

Managed encryption keys for data at rest everywhere.

📖 Official AWS documentation ↗📰 Official AWS blog ↗

What is it?

A managed key service that creates and controls cryptographic keys, integrates with 100+ AWS services for at-rest encryption, and logs every key use to CloudTrail.

💡 Why does it exist?

Training data, model artifacts, and transcripts are business secrets. Customer-managed keys give you control (rotation, revocation, per-key access policy) and auditors the evidence they require.

⏱️ When should you use it?

Encrypt S3 training buckets, SageMaker volumes and artifacts, Bedrock customisation outputs, and transcripts; choose customer-managed keys when compliance demands key-level control.

🗺️ Where does it fit?

Woven into the storage layer: services request data keys from KMS at read/write time; key policies decide which roles may decrypt what.

🔌 How do you integrate it?

Create a customer-managed key, reference its ARN in service encryption settings (e.g. SSE-KMS on S3, SageMaker KmsKeyId), enable rotation, and monitor usage via CloudTrail.

🧩 Commonly integrated with

Amazon S3Amazon SageMaker AIAmazon BedrockAWS CloudTrail

🎯 Exam angle (AIF-C01)

📚 Study it in a learning path

SCS-C03Security Engineering on AWSFlashcards, notes & quizzes covering this service →CLF-C02AWS Cloud PractitionerFlashcards, notes & quizzes covering this service →AIF-C01AWS AI PractitionerFlashcards, notes & quizzes covering this service →

More in Security & Governance

AWS IAMAmazon MacieAWS CloudTrailAmazon CloudWatch