Skip to content
Documentation
Key Management Service
Best practices

KMS security best practices

Follow these practices when deploying KMS for production workloads.

Use envelope encryption

Wrap data encryption keys (DEKs) with KMS; do not send large payloads through encrypt and decrypt in production. Generate DEKs locally, encrypt bulk data with the DEK, and store only the wrapped DEK alongside ciphertext.

This reduces API cost, improves performance, and limits exposure of high-volume data through the KMS API.

Restrict key material export

Disable exportAllowed unless regulatory or migration requirements demand it. Treat export as a break-glass operation:

  • Monitor all kms.export audit events
  • Limit export permission to a small administrator group
  • Store exported material in HSM-backed storage immediately

Public key export is lower risk and does not require exportAllowed.

Handle BYOK securely

Wrap key material off-platform using CLI tools or your HSM. Never paste raw key bytes into a browser or transmit unwrapped material to the API.

Set allowRotation: true at import only if you plan to rotate imported keys.

Rotate on a schedule

Enable automatic rotation aligned with your security policy. Existing ciphertext does not need re-encryption—the version embedded in ciphertext handles decryption after rotation.

Balance rotation frequency against billing: each rotation adds a billable key version.

Choose the right region

Create keys in the region where data is processed. Keys do not move between regions. Cross-region crypto is not supported.

Verify regional availability with GET /v1/kms/summary before provisioning dependent services.

Disable before delete

Use disable for temporary suspension during incidents or maintenance. Use delete only for permanent removal, remembering the 30-day recovery window.

Before deleting a key, confirm no Secrets Manager secrets or DNSSEC zones still reference it.

Monitor audit logs

Review kms.* audit events regularly. Pay particular attention to:

  • Decrypt volume anomalies
  • Any export operation
  • Failed crypto from unexpected principals

Sensitive values (plaintext, ciphertext, signatures, HMACs, exported material) are never logged, so audit entries show who did what without exposing secrets.

Separate keys by purpose

Create dedicated keys per use case and environment:

  • Production vs staging encryption
  • Secrets Manager vs application envelope encryption
  • DNSSEC signing vs application attestation

Related documentation

API referenceFAQ