CloudGuild · Blog · Cheat sheets · Lessons · Certifications
AWS KMS & Encryption
Centralized, audited encryption keys. The backbone of encryption at rest across AWS.
What it is
Managed creation, rotation, and access control of encryption keys, with every use logged in CloudTrail.
When I reach for it
- Encryption at rest that must be auditable and access-controlled (SSE-KMS on S3, EBS, RDS, etc.).
- Envelope encryption for application data.
Key architectural decisions
- Customer managed keys when you need custom key policies, rotation control, and audit; AWS managed keys for simplicity.
- Separate keys by data classification / tenant for blast-radius control.
- Encryption in transit is a separate concern — enforce TLS with policies.
Gotchas & exam traps
- "Auditable, rotatable keys with usage logged" => SSE-KMS with a customer managed key (not SSE-S3).
- KMS request throttling can appear under heavy workloads — design for it.
- Secrets that must rotate automatically => Secrets Manager, not KMS alone.
The architect view
Default to encrypting everything. KMS makes "encrypted, audited, and access-controlled" the easy path, so there is rarely a reason not to.