Protecting AWS Accounts with AWS KMS: 2025 Edition

AWS Key Management Service (KMS) is a core part of securing your AWS environment. From encrypting data at rest to controlling access to sensitive resources, KMS plays a key role in managing cryptographic operations across services.

Since this blog was originally written, AWS has introduced new capabilities and best practices worth adopting. This post walks through how to protect your AWS workloads using KMS today, with an emphasis on automation, flexibility, and security at scale.

What AWS KMS Does

AWS KMS lets you create, manage, and use cryptographic keys across your AWS services. You can use KMS to encrypt data stored in S3, RDS, EBS, Lambda environment variables, CloudTrail logs, and more. You can also generate data keys for custom encryption workflows.

KMS supports both symmetric and asymmetric key types, along with key policies and grants for precise access control.

What’s New in 2024–2025

1. Custom Key Rotation Periods
   You can now define how often your KMS keys rotate, anywhere from 90 days to 7 years. You can also rotate a key manually at any time. This adds flexibility to meet compliance requirements without being locked into a one-year default cycle.
   
2. Improved Performance and Quotas
   AWS has increased the default throughput limits for KMS API calls. You can now perform more cryptographic operations per second, especially useful for high-volume workloads like S3 encryption or large-scale data pipelines.
   
3. ECDH Key Agreement Support
   KMS now supports Elliptic Curve Diffie-Hellman (ECDH) key agreement. You can derive shared secrets directly within KMS for use in secure communications or encrypted data exchange.
   
4. Centralized vs. Decentralized Key Management
   AWS prescriptive guidance recommends using centralized key management in most cases, especially when using multiple AWS accounts through AWS Organizations. Central management reduces the operational overhead and improves visibility while still supporting fine-grained access through key policies.
   
5. Encryption Context
   Use encryption context as an additional security layer when calling KMS APIs. This allows you to require specific metadata to match at decryption time, reducing the risk of key misuse.
   

Best Practices for Using KMS in 2025

• Use Customer Managed Keys (CMKs) for better control over key policies and rotation. Avoid relying solely on AWS-managed keys unless simplicity is more important than control.
  
• Enable automatic key rotation and define rotation periods based on compliance needs.
  
• Use IAM policies and KMS key policies together to define who can use, rotate, or schedule key deletion.
  
• Implement strict alias naming conventions for better tracking across environments.
  
• Set up CloudWatch alarms for KMS usage and integrate with AWS CloudTrail to audit key usage.
  
• Avoid scheduling key deletion unless intentional and double-check dependent services before doing so.
  
• Use grants for temporary or scoped access instead of bloating key policies with short-term permissions.
  

Summary

AWS KMS continues to evolve with better performance, more flexible key management, and new cryptographic features. Teams should take advantage of these improvements to align security practices with today’s scale and complexity. Whether you’re running a regulated workload or just want more control over encryption, KMS remains a critical building block of secure AWS architecture.