Accessing AWS Key Management Service
You can work with AWS KMS in the following ways:
AWS Management Console
The console is a web-based user interface for managing AWS KMS and AWS resources. If you've signed up for an AWS account, you can access the AWS KMS console by signing into the AWS Management Console and choosing AWS KMS from the AWS Management Console home page.
Permissions required to use the AWS KMS console
To work with the AWS KMS console, users must have a minimum set of permissions that allow them to work with the AWS KMS resources in their AWS account. In addition to these AWS KMS permissions, users must also have permissions to list IAM users and IAM roles. If you create an IAM policy that is more restrictive than the minimum required permissions, the AWS KMS console won't function as intended for users with that IAM policy.
For the minimum permissions required to allow a user read-only access to the AWS KMS console, see Allow a user to view KMS keys in the AWS KMS console.
To allow users to work with the AWS KMS console to create and manage KMS keys, attach the AWSKeyManagementServicePowerUser managed policy to the user, as described in AWS managed policy for power users.
You don't need to allow minimum console permissions for users that are working with the
AWS KMS API through the AWS SDKs
AWS Command Line Interface
You can use the AWS CLI tools to issue commands or build scripts at your system's command line to perform AWS (including AWS KMS) tasks.
For more information about using AWS KMS through the AWS CLI, see the AWS CLI Command Reference
AWS KMS REST API
The architecture of AWS KMS is designed to be programming language-neutral, using AWS-supported interfaces to store and retrieve objects. You can access S3 and AWS programmatically by using the AWS KMS REST API. The REST API is an HTTP interface to AWS KMS. With the REST API, you use standard HTTP requests to create, fetch, and delete buckets and objects.
For more information on using the AWS KMS REST API, see the AWS Key Management Service API Reference
AWS SDKs
AWS provides SDKs (software development kits) that consist of libraries and sample code
for common programming languages and platforms (Java, JavaScript, C, Python, and so on). The
AWS SDKs provide a convenient way to create programmatic access to AWS KMS and AWS. AWS KMS is
a REST service. You can send requests to AWS KMS using the AWS SDK libraries,
which wrap the underlying AWS KMS REST API and simplify your
programming tasks. For information about the AWS SDKs, including how to
download and install them, see Tools to Build on
AWS
The Code examples for AWS KMS using AWS SDKs provides a good starting point for using AWS KMS through the AWS SDKs.
AWS Encryption SDK
The AWS Encryption SDK is a tool for implementing client-side encryption in your application. It does not provide full access to KMS, but instead it integrates with AWS KMS, or can be used as a stand-alone SDK without referencing KMS keys. Libraries are available for Java, JavaScript, C, Python, and other programming languages.
For more information, see the AWS Encryption SDK Developer Guide.
AWS KMS key policies and IAM policies
AWS KMS eventual consistency
The AWS KMS API follows an eventual consistency
When you perform AWS KMS API calls, there might be a brief delay before the change is
available throughout AWS KMS. It typically takes less than a few seconds for the change to
propagate throughout the system, but in some cases it can take several minutes. You might get
unexpected errors, such as a NotFoundException or an
InvalidStateException, during this time. For example, AWS KMS might return a
NotFoundException if you call GetParametersForImport
immediately after calling CreateKey.
We recommend that you configure a retry strategy on your AWS KMS clients to automatically retry operations after a brief waiting period. For more information, see Retry behavior in the AWS SDKs and Tools Reference Guide.
For grant related API calls, you can use a grant token to avoid any potential delay and use the permissions in a grant immediately. For more information, see Eventual consistency (for grants).
