AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

It uses Hardware Security Modules (HSMs) to protect the security of your keys.

It is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

You can share the AWS Key Management Service (AWS KMS) customer master key (CMK) that was used to encrypt the snapshot with any accounts that you want to be able to access the snapshot. You can share AWS KMS CMKs with another AWS account by adding the other account to the AWS KMS key policy.

AWS-managed and Customer-managed CMKs

An AWS-managed CMK can only be used to protect resources within the specific AWS service for which it’s created. It does not provide the level of granular control that a customer-managed CMK provides.

An AWS-managed CMK is rotated once every three years automatically, and cannot be deleted. A customer-managed CMK is rotated once a year automatically through opt-in or on-demand manually, and can be deleted.

AWS Secret Manage

AWS Secret Manager is an AWS service that encrypts and stores your secrets, and transparently decrypts and returns them to you in plaintext. It works to stores application secrets, and supports features that periodically rotate the secrets associated with commonly used databases. It helps you protect secrets needed to access your applications, services, and IT resources.

It is integrated with AWS KMS in order to encrypt your data.

AWS Hardware Security Module (HSM) (CloudHSM)

The AWS CloudHSM service allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management. You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you.

Need to manually create multi-AZ or scaling to improve availability.

Need to manually run EC2 to let CloudHSM integrate with other services.