Connect to AWS KMS through a VPC endpoint

You can connect directly to AWS KMS through a private interface endpoint in your virtual private cloud (VPC). When you use an interface VPC endpoint, communication between your VPC and AWS KMS is conducted entirely within the AWS network.

AWS KMS supports Amazon Virtual Private Cloud (Amazon VPC) endpoints powered by AWS PrivateLink. Each VPC endpoint is represented by one or more Elastic Network Interfaces (ENIs) with private IP addresses in your VPC subnets.

The interface VPC endpoint connects your VPC directly to AWS KMS without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. The instances in your VPC do not need public IP addresses to communicate with AWS KMS.

Regions

AWS KMS supports VPC endpoints and VPC endpoint policies in all AWS Regions in which AWS KMS is supported.

Considerations for AWS KMS VPC endpoints

Before you set up an interface VPC endpoint for AWS KMS, review the Interface endpoint properties and limitations topic in the AWS PrivateLink Guide.

AWS KMS support for a VPC endpoint includes the following.

You can use your VPC endpoint to call all AWS KMS API operations from your VPC.
You can create an interface VPC endpoint that connects to an AWS KMS region endpoint or an AWS KMS FIPS endpoint.
You can use AWS CloudTrail logs to audit your use of KMS keys through the VPC endpoint. For details, see Logging AWS KMS requests that use a VPC endpoint.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Configure hybrid post-quantum TLS

Create a VPC endpoint for AWS KMS