AWS KMS explained, what it is and how to use it safely

Why AWS KMS explained matters

KMS is the control plane for encrypted data in AWS. Misconfigured key policies (overly broad principals, wildcard `kms:*`, cross-account `kms:Decrypt` granted in error) turn an encryption story into an exfiltration story, the attacker doesn't need to break crypto, they just ask KMS to decrypt for them.

Common mistakes with AWS KMS explained

• Granting `kms:Decrypt` to a wildcard principal or to roles that don't strictly need it.
• Not enabling automatic rotation on long-lived CMKs.
• Storing the CMK alias in code but the key policy in another team's account, with no documented owner.
• Treating KMS as a substitute for IAM, KMS hardens encryption; it does not replace least privilege.

How attackers exploit AWS KMS explained

Public S3 bucket → object encrypted with SSE-KMS → attacker assumes a role that holds `kms:Decrypt` on the bucket's CMK → KMS issues the data key → attacker decrypts the bucket's contents. The bucket policy looked locked down; the key policy was not.

Related articles

• Cloud Security Became A Coordination Problem
• What Is Cloud Security?
• Secrets Management Best Practices
• Most Security Programs Optimize for Auditability, Not Reality

Related concepts

• Cloud shared responsibility model explained, who secures what
• What is zero trust?, the security model that replaces the perimeter
• What is least privilege?, the cloud security principle
• AWS S3 security explained, public access, encryption, attack chains

Recommended learning paths

• Cloud Security Fundamentals
• AWS Security Best Practices
• Enterprise Cloud Security Architecture

Hands-on labs

• Hands-On: Multi-Cloud Security