What are the benefits of Key Management Service (KMS) - Key Management Service

Key Management Service (KMS) offers significant advantages over traditional key management infrastructure (KMI): integration with multiple services, ease of use, high reliability, and cost-effectiveness. KMS lets you focus on your applications instead of the complexity of cryptographic key management.

Integration with multiple services

Authentication and access control

KMS authenticates every request through identity authentication mechanisms such as AccessKey pairs. KMS is also integrated with Resource Access Management (RAM), which lets you configure both identity-based and resource-based policies to address a wide range of authorization scenarios. KMS accepts only requests that come from authorized users and pass the dynamic permission checks of RAM. For more information, see Access control.

Auditing of key usage

KMS is integrated with ActionTrail and Simple Log Service (SLS), giving you visibility into recent KMS activity. You can also store KMS usage information in other Alibaba Cloud services, such as Object Storage Service (OSS), to meet long-term audit requirements. For more information, see Use ActionTrail to query KMS event logs and Overview of Simple Log Service for KMS.

Data encryption for integrated services

KMS is integrated with multiple Alibaba Cloud services, including Elastic Compute Service (ECS), ApsaraDB RDS, and OSS. You can use the keys stored in KMS to encrypt and control data across these services efficiently -- you only need to manage your keys, without performing complex encryption operations yourself. KMS also protects the native data of integrated services. For more information, see Understanding KMS integration and KMS-compatible Alibaba Cloud services.

Ease of use

Automatic key rotation: KMS provides automatic key rotation, so you do not need to update keys manually. This strengthens security while reducing management overhead.
Simple implementation: KMS exposes cryptographic API operations that let you encrypt and decrypt data in a straightforward way, without dealing with complicated and abstract cryptographic primitives.
Cross-Virtual Private Cloud (VPC) access: KMS allows you to associate multiple VPCs with a single KMS instance, enabling users to perform data encryption and decryption across VPCs.
Bring Your Own Key (BYOK): KMS supports the BYOK feature. You can import keys from external systems such as on-premises KMI, and then use those keys to encrypt data in Alibaba Cloud services or in your self-managed applications and systems.

Note

KMS uses secure and compliant key exchange algorithms to ensure that operators or third parties cannot view keys in plaintext.

High reliability, availability, and scalability

High reliability

Multi-zone deployment: KMS supports multi-zone deployment, which helps prevent single points of failure (SPOFs).
Regular backups: KMS regularly backs up keys, secrets, and related data to ensure fast recovery when faults occur.

High availability

Redundant cryptographic computing: KMS delivers redundant cryptographic computing capabilities across multiple zones with load balancing, achieving a minute-level Recovery Time Objective (RTO).
Dual-zone active-active deployment: KMS instances use dual-zone deployment with active-active compute instances across zones, ensuring optimal resource utilization and high service availability. Both Alibaba Cloud services and your self-managed applications can send requests to KMS at low latencies.
High throughput: KMS instances support queries per second (QPS) specifications of 2,000 and 4,000. Even under a large volume of concurrent requests, KMS instances continue to provide service.

Scalability

You can upgrade the specifications of your KMS instance based on your business requirements.

Architecture example

In the following dual-zone deployment example, your service applications are deployed in VPC_1 and VPC_2. Your KMS instance is deployed in VPC_1 and associated with VPC_2. The following figure shows the KMS architecture.

Security and compliance

KMS offers high-level protection for your keys. Rigorous security design and strict verification processes are implemented during the development of KMS.

Exclusive instance: Keys are managed by your exclusive instance and are not shared with other tenants, enhancing data security.
Encrypted transmission: KMS provides only TLS-based secure channels for access and uses only secure cipher suites for data transmission. KMS complies with security standards such as Payment Card Industry Data Security Standard (PCI DSS).
Certified cryptographic facilities: KMS supports cryptographic facilities that are verified and certified by regulators.The cryptographic devices provided by CloudHSM have obtained FIPS 140-2 Level 3 certification. Cloud Hardware Security Module of Alibaba Cloud offers hardware security modules (HSMs) that comply with Federal Information Processing Standard (FIPS) Publication 140-2 Level 3. You can integrate KMS with Cloud Hardware Security Module of Alibaba Cloud to use clusters of HSMs deployed in Cloud Hardware Security Module for key management and cryptographic operations. For more information about Cloud Hardware Security Module, see What is Data Encryption Service?

Cost-effectiveness

No hardware investment required: You do not need to purchase, operate, repair, or replace hardware cryptographic devices.
No HSM cluster deployment: You do not need to deploy highly available and reliable HSM clusters or pay for R&D and maintenance of self-managed KMI.
Streamlined data encryption: KMS integrates with other Alibaba Cloud services, eliminating the R&D overhead of building a data encryption system. You only need to manage your keys to achieve controllable data encryption on the cloud.