AWS Certified Developer Associate (DVA-C02) > Domain 2: Security > Encryption > 2.2.4 KMS Encryption Keys

2.2.4 KMS Encryption Keys

KMS — Key Management Service

Key Types

Type	Managed by	Rotation	Cross-account	Cost
AWS Owned	AWS	Automatic	N/A	Free
AWS Managed (`aws/s3`)	AWS	Every year (auto)	❌	Free
Customer Managed (CMK)	Customer	Configurable	✅	$1/month + API calls

Envelope Encryption (data > 4KB)

1. GenerateDataKey → plaintext data key + encrypted data key
2. Encrypt data locally với plaintext key
3. Lưu encrypted data key cùng encrypted data
4. Delete plaintext key from memory

Decrypt:
1. KMS Decrypt encrypted data key → plaintext data key
2. Decrypt data locally với plaintext data key

KMS API Calls

API	Mô tả	Data Size
`Encrypt`	Encrypt data trực tiếp bằng KMS key	≤ 4KB
`Decrypt`	Decrypt data	≤ 4KB
`GenerateDataKey`	Trả về plaintext + encrypted data key	For envelope encryption
`GenerateDataKeyWithoutPlaintext`	Chỉ encrypted data key	Deferred encryption
`ReEncrypt`	Decrypt + re-encrypt với key khác	Key rotation

KMS Quotas

5,500 → 30,000 requests/second (tùy region và key type)
Throttling → ThrottlingException
Solutions: Request quota increase, data key caching, SSE-S3

Data Key Caching

Without caching: Every encrypt → KMS API call
With caching: Cache data key → reuse for multiple encrypts

AWS Encryption SDK hỗ trợ data key caching
Giảm KMS API calls → giảm cost + avoid throttling

KMS API có quota limits. High-throughput encryption → dùng data key caching hoặc SSE-S3 thay vì SSE-KMS.

Exam Tip: Data > 4KB = Envelope Encryption (GenerateDataKey). AWS Managed keys không share cross-account → dùng CMK. KMS throttling → data key caching.