Key Management Service (KMS) boasts the following advantages over traditional key management infrastructure (KMI): integration with multiple services, ease of use, high reliability, and cost-effectiveness.
Integration with multiple services
Authentication and access control
KMS authenticates requests by using AccessKey pairs. In addition, KMS is integrated with Resource Access Management (RAM), which allows you to configure a variety of custom policies to meet the authorization requirements of different scenarios. KMS accepts only requests that are initiated by authorized users and pass the dynamic permission checks of RAM. For more information, see Custom permission policies.
Auditing of key usage
KMS is integrated with ActionTrail. This allows you to view recent KMS usage and store KMS usage information in other Alibaba Cloud services, such as Object Storage Service (OSS), to meet audit requirements in the long term. For more information, see Use ActionTrail to query KMS event logs.
Data encryption for integrated services
KMS is integrated with multiple Alibaba Cloud services such as Elastic Compute Service (ECS), ApsaraDB RDS, and OSS. You can use keys in KMS to encrypt and control data of the integrated services in an efficient manner. You need to only manage the keys instead of performing complex encryption operations. In addition, KMS also protects native data of the integrated services. For more information, see Overview of integration with KMS and Alibaba Cloud services that can be integrated with KMS.
Ease of use
Simple implementation
KMS provides cryptographic API operations that enable you to encrypt and decrypt data in a simplified manner, which frees you from complicated and abstract cryptography.
Centralized key management
You can create keys on demand and manage access from users and applications to the keys by using RAM and application access points (AAPs).
You can use ActionTrail to audit operations on KMS resources.
BYOK
KMS supports the Bring Your Own Key (BYOK) feature. You can import keys to KMS from external systems such as on-premises KMI. Then, you can use the keys to encrypt data in Alibaba Cloud services or use the keys for your self-managed applications and systems.
NoteKMS adopts secure and compliant key exchange algorithms to ensure that operators or third parties cannot view keys in plaintext.
High reliability, availability, and scalability
KMS delivers redundant cryptographic computing capabilities across multiple zones in each region. This ensures that Alibaba Cloud services and your self-managed applications can send requests to KMS at low latencies. You can upgrade specifications of KMS based on your business requirements.
KMS instances use dual-zone deployment with load balancing to achieve minute-level recovery time objective (RTO). This configuration ensures active-active compute instances across zones for optimal resource use and high service availability. To enable a KMS instance, you must select two zones in the same virtual private cloud (VPC). The following figure shows the architecture.
By default, each KMS instance is equipped with at least two compute instances. Additional instances can be added to meet the demands of higher availability and improved performance.
Security and compliance
KMS offers high-level protection for your keys. The security design and strict verification processes are implemented during the development of KMS.
KMS provides only TLS-based secure channels for access and uses only secure cipher suites for transmission. KMS complies with security standards such as Payment Card Industry Data Security Standard (PCI DSS).
KMS supports cryptographic facilities that are verified and certified by regulators. Cloud Hardware Security Module of Alibaba Cloud offers hardware security modules (HSMs) that comply with Federal Information Processing Standard (FIPS) Publication 140-2 Level 3. You can integrate KMS with Cloud Hardware Security Module of Alibaba Cloud. This way, you can use the clusters of HSMs that are deployed in Cloud Hardware Security Module to manage keys and perform cryptographic operations. For more information about Cloud Hardware Security Module, see What is Data Encryption Service?
Cost-effectiveness
You do not need to invest in hardware cryptographic devices, such as the purchase, operations, repair, and replacement of hardware cryptographic devices.
If you use KMS, you do not need to deploy highly available and reliable HSM clusters or pay for R&D and maintenance for self-managed KMI.
KMS is integrated with other Alibaba Cloud services to eliminate the R&D overheads of a data encryption system. You need to only manage keys to achieve controllable data encryption on the cloud.