AWS KMS Keys

Some notes about keys in AWS KMSKey Management System:

Key names may include dash "-". Other special characters are forbidden.
Data encrypted by an AES key can be decrypted only by the same key.
Automatic key rotation does not apply to asymmetric KMSKey Management System keys or imported keys.
Only AES-256 keys can be imported.

AWS Key Types

The following table summarizes supported KMSKey Management System key types and BYOKBring Your Own Key/non-BYOKBring Your Own Key key creation options.

Key type	Size/Curve	non-BYOK	BYOK
RSA	2048, 3072, 4096	√
ECCElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields	P256, P384, P521, SECP256K1	√
AES	128, 256	√	√

References:

AWS Key Crypto Operations and Algorithms

The following table summarizes UID-based crypto operations supported by AWS KMSKey Management System.

Key type	Decrypt/Encrypt	Sign/Verify
RSA	√	√
ECCElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields		√
AES	√

References:

AWS KMS operations with symmetric and asymmetric CMKs

The following list summarizes KMSKey Management System algorithms that can be used via CORE. Algorithms not supported by CORE are [shaded].

RSA (RSA algorithms) for Keys 2K, 3K, 4K

Decrypt: OAEPOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. with SHA1; OAEPOptimal Asymmetric Encryption Padding - A padding scheme often used together with RSA encryption of symmetric keys. with SHA256

Sign: PSSprobabilistic signature scheme. Abbreviation of RSASSA-PSS with SHA256, SHA384, and SHA512; PKCSPublic-Key Cryptography Standards - Industry-standard cryptography specifications.-V1_5 SHA256, SHA384, and SHA512
ECCElliptic-curve cryptography - an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields (EC algorithms) for P256, P384, P521,

Sign: ECDSAElliptic Curve Digital Signature Algorithm - A variant of the Digital Signature Algorithm (DSA) which uses elliptic curve cryptography. with sha256, sha384, sha512

AWS Key Metadata

See Key Metadata.

To obtain also the multi-region information, use Describe Key.

AWS Key Management Operations

The following table compares CORE and KMSKey Management System key management options and references KMSKey Management System documentation for further details.

Operation	CORE	AWS	Comment	Reference
Generate	√	√		CreateKey
Import	√	√	AWS allows importing only AES-256 keys.	Import Importing considerations
Key policy			CORE provides a fine-grain policy down to the level of specifying permitted and restricted operations and algorithmic parameters (size, hash, padding, mode). The policy is defined for each partition, and it applies to all keys in the partition. AWS key policy is per key. It explicitly allows or denies permissions according to the statements in the key policy document.	Set Key Policy Key Policies
Delete	√	√	CORE provides three flavors of delete: Revoke, Discard and Delete (Erase). All actions are non-reversible. AWS provides a 7 - 30 days grace period. In this period: Status of the key changes to 'pending deletion'. The key cannot be used. After the grace period, the key is completely erased from AWS.	The grace period
Cancel Deletion		√	When key deletion canceling succeeds, the key is left Disabled. Reenable it.	Cancel key deletion
Activate / Revoke	√		Key activation may be scheduled The only cause of revoke is the expiration of the validity.
Enable	√	√
Disable	√	√		Disable Key
Rekey / Rotate	√	≈	Key rotation is fixed - once per year. Other restrictions apply	AWS Key Rotation.
Get Info	√	√	AWS key metadata includes: ARN, AccountId, origin key: spec, manager, state, usage time parameters: created, updated, not before, not after enabled, encryption algorithm, if the usage is encrypt-decrypt recovery parameters: soft-delete retention days, privileges required to recover a key. multi-region settings	Key Metadata
Get Public	√	√	You may use a public key without explicitly exporting it in Encrypt and Verify commands.	Get Public
Get Private	√		Exporting from KMSKey Management System is not supported.

Note: the ≈ sign indicates the availability of alternatives