Detect, troubleshoot & optimize AWS environments in real-time ->

Amazon Web Service (AWS)


AWS Key Management Service (KMS) is a managed service used to create and manage cryptographic keys for data protection and for encryption or singing of digital data.
The cost of using Key Management Service (KMS) depends on the number of API requests made and the amount of data stored and encrypted using KMS keys. KMS charges a monthly fee for each KMS key, as well as a per-request fee for API operations.
Direct Cost



Indirect Cost
No items found.
Terraform Name
  • description - (Optional) The description of the key as viewed in AWS console.
  • key_usage - (Optional) Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults to ENCRYPT_DECRYPT.
  • custom_key_store_id - (Optional) ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
  • customer_master_key_spec - (Optional) Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
  • policy - (Optional) A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws_iam_policy_document, in the form that designates a principal, can be used. For more information about building policy documents with Terraform, see the AWS IAM Policy Document Guide.


Note: All KMS keys must have a key policy. If a key policy is not specified, AWS gives the KMS key a default key policy that gives all principals in the owning account unlimited access to all KMS operations for the key. This default key policy effectively delegates all access control to IAM policies and KMS grants.

  • bypass_policy_lockout_safety_check - (Optional) A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
  • deletion_window_in_days - (Optional) The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30. If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
  • is_enabled - (Optional) Specifies whether the key is enabled. Defaults to true.
  • enable_key_rotation - (Optional) Specifies whether key rotation is enabled. Defaults to false.
  • multi_region - (Optional) Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
  • tags - (Optional) A map of tags to assign to the object. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Associating resources with a
Resources do not "belong" to a
Rather, one or more Security Groups are associated to a resource.
via Terraform:
The following HCL creates a KMS key

resource "aws_kms_key" "a" {
 description             = "KMS key 1"
 deletion_window_in_days = 10

via CLI:

[--policy <value>]
[--description <value>]
[--key-usage <value>]
[--customer-master-key-spec <value>]
[--key-spec <value>]
[--origin <value>]
[--custom-key-store-id <value>]
[--bypass-policy-lockout-safety-check | --no-bypass-policy-lockout-safety-check]
[--tags <value>]
[--multi-region | --no-multi-region]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


ws kms create-key \
   --tags TagKey=Purpose,TagValue=Test \
   --description "Test key"

Best Practices for

Categorized by Availability, Security & Compliance and Cost

Ensure there is no disabled KMS key
No items found.
Resource with over permissive KMS permissions
No items found.
Explore all the rules our platform covers
Related blog posts
All Resources