KMS & Secrets Manager
KMS (Key Management Service) manages cryptographic keys for encrypting data at rest and in transit. Secrets Manager stores and automatically rotates sensitive values like database passwords, API keys, and OAuth tokens.
KMS is a bank's key-making machine — you don't carry the master key (CMK), you just get copies (DEKs) for each safe (encrypted resource). Secrets Manager is a butler who memorizes all your passwords and changes them periodically without telling you the new ones.
KMS: Customer Managed Keys (CMK) — you control key policy, rotation, and deletion. AWS Managed Keys — AWS rotates them automatically. Envelope encryption: data is encrypted with a Data Encryption Key (DEK); the DEK is encrypted with the CMK and stored alongside the data. Only the CMK is in KMS; the DEK is ephemeral. KMS integrates with S3, RDS, EBS, Lambda, Parameter Store. Secrets Manager: stores secrets with automatic rotation via Lambda, versioning, cross-region replication. Parameter Store is free for standard parameters; SecureString parameters use KMS.
KMS key policy is a resource-based policy that must explicitly grant the root account access, otherwise the key becomes unmanageable. Key rotation: annual automatic rotation updates the backing key material; data encrypted with old material can still be decrypted (KMS tracks versions). KMS grants allow temporary permission to use a key without modifying the key policy — useful for cross-account scenarios. CloudHSM provides a dedicated hardware security module for compliance (FIPS 140-2 Level 3) when KMS (Level 2) isn't sufficient. Secrets Manager vs Parameter Store: Secrets Manager offers automatic rotation and costs $0.40/secret/month. Parameter Store SecureString is free but requires manual rotation management.
I use KMS for envelope encryption of data at rest — S3, EBS, RDS all support SSE-KMS. Customer Managed Keys give me key policy control, rotation, and deletion windows. Secrets Manager auto-rotates database credentials via a Lambda function, eliminating hardcoded passwords. For non-sensitive config, Parameter Store is free and sufficient; for credentials needing rotation, Secrets Manager is worth the cost.
Deleting a KMS key without disabling it first and waiting 7-30 days. If the key is deleted, all data encrypted with it becomes permanently unrecoverable. Always schedule deletion with the waiting period and monitor for any decrypt calls.