L11. AWS KMS: Key Policies, Envelope Encryption & Key Rotation
Video generating
Check back soon for the video lesson on AWS KMS: Key Policies, Envelope Encryption & Key Rotation
Why a KMS key policy is the non-negotiable root of authorization, how envelope encryption keeps bulk data off the KMS wire, and when CloudHSM beats KMS for compliance requirements.
The Key Policy Is the Root of Authorization
Most AWS resources are governed by IAM policies alone: attach a policy to a user or role, and that identity has the permission. KMS keys work differently. Every customer managed key (CMK) has a resource-based key policy attached directly to it, and that key policy is the root of authorization. An IAM policy granting kms:Decrypt on a key is never sufficient by itself; the key policy must also grant access, either directly or by delegating that decision to IAM via the standard "Enable IAM User Permissions" statement. If the key policy does not cooperate, the IAM policy is worthless for that key.
KMS grants are a second, more surgical access mechanism: temporary, programmatic, revocable delegated access to a specific key, typically used by an AWS service acting on a customer's behalf (for example, letting an EBS volume use a CMK to encrypt its blocks). Grants can be created and retired without editing the key policy itself, and are well suited to short-lived, service-to-service access.
Envelope Encryption: Keep Bulk Data Off the Wire
KMS does not encrypt large files directly, and the exam expects you to know why. The pattern is envelope encryption:
- The application calls
GenerateDataKeyagainst a CMK. - KMS returns a plaintext data key, and that same data key encrypted under the CMK.
- The application encrypts the actual data locally with the plaintext key, then discards that plaintext copy.
- The application stores the encrypted data key alongside the ciphertext.
Only the small data key ever crosses the wire to KMS, never the bulk data itself. This keeps encryption fast and avoids KMS API payload limits. To decrypt later, the application sends the encrypted data key back to KMS, gets the plaintext key back, and decrypts the ciphertext locally.
Key Rotation Rules
| Key type | Automatic annual rotation |
|---|---|
| AWS-managed keys (aws/s3, aws/ebs, etc.) | Always on, cannot be disabled |
| Customer-managed keys (standard) | Optional, can be enabled |
| Customer-managed keys with imported key material | Not supported, must rotate manually |
Multi-Region Keys and CloudHSM
Multi-Region keys replicate a CMK across regions as related keys sharing the same key material and key ID. Data encrypted in one region can be decrypted in another using the replica key, with no decrypt-and-re-encrypt round trip during failover, which matters for disaster recovery designs with cross-region replication. AWS CloudHSM provides single-tenant, dedicated hardware validated to FIPS 140-2 Level 3. Standard KMS runs on shared, multi-tenant HSM infrastructure at Level 2. When a scenario mandates full control over key material or a hard Level 3 requirement, CloudHSM is the answer, not KMS. A KMS custom key store backed by CloudHSM offers a middle path: the familiar KMS API surface while key material physically lives in dedicated Level 3 hardware. Exam tip: If an IAM policy "should" grant access to a KMS key but doesn't seem to work, check whether the key policy is the missing piece. Whenever "bulk data" and "KMS" appear together, think envelope encryption andGenerateDataKey, not a direct Encrypt call on the whole payload.- ✓A KMS key policy is the root of authorization for that key: an IAM policy alone is never sufficient, the key policy must also grant access
- ✓Envelope encryption uses GenerateDataKey to get a plaintext data key and its CMK-encrypted copy; only the small data key ever needs to be encrypted by KMS, not the bulk data
- ✓Automatic annual rotation can be enabled for customer-managed KMS keys; keys with imported key material must be rotated manually instead
- ✓Multi-Region KMS keys share key material across regions, avoiding decrypt-and-re-encrypt cycles for data replicated between regions
- ✓AWS CloudHSM provides single-tenant, FIPS 140-2 Level 3 validated hardware, used when full control over key material or Level 3 compliance is a hard requirement beyond what standard KMS provides
1. A user has an IAM policy granting kms:Decrypt on all resources, but the target KMS key's key policy does not reference that user or their account. Can the user decrypt data with that key?
2. Why does envelope encryption call GenerateDataKey instead of sending the entire file to KMS to encrypt directly?
3. A company must use single-tenant hardware security modules validated to FIPS 140-2 Level 3 with full control over key material, exceeding what standard AWS KMS provides. Which service should they use?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.