AWS Key Management Service (KMS) is a managed service provided by Amazon Web Services that enables easy creation and control of cryptographic keys used to encrypt data. KMS is integrated with other AWS services and supports the following: 

  • Symmetric keys
  • Asymmetric key pairs for signing/encryption
  • HMAC keys for message authentication

The Key Management Service plugin: 

  1. Connects to your AWS account using IAM credentials (either permanent access keys or temporary session tokens from AWS STS).
  2. Discovers all cryptographic keys and key states stored in KMS within a specified AWS region, including: 
    • Symmetric Keys—the plugin discovers the following types of symmetric keys: 

      Key

      Description

      ​SYMMETRIC_DEFAULT

      AES-256-GCM encryption keys for encrypt/decrypt operations​

      HMAC

      HMAC_224, HMAC_256, HMAC_384, HMAC_512 for message authentication

      For Symmetric keys: 
      • The plugin does not export key material. AWS KMS does not allow exporting symmetric key or HMAC key material for security reasons.
      • The plugin returns comprehensive metadata, but does not return the key body.
    • Asymmetric keys—the plugin discovers the following types of asymmetric keys:

      Algorithm

      Description

      RSA

      RSA_2048, RSA_3072, RSA_4096 for signing/verification or encryption/decryption

      Elliptic curve

      ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1 for signing/verification

      SM2

      SM2 (China national standard) for encryption/decryption

      For Asymmetric keys: 

      • The plugin extracts the public key in PEM format.
      • The plugin does not export the private key. AWS KMS does not allow export of private key material. 
    • Key states

      Key State

      Description

      Enabled

      The key is available for use

      Disabled

      The key exists but cannot be used for cryptographic operations

      PendingDeletion

      The key is scheduled for deletion (7-30 day waiting period)

      PendingImport

      Waiting for the key material to be imported

      Unavailable

      The key is temporarily unavailable

      Creating

      The key is being created

  3. Retrieves key metadata.  
  4. Exports the public key data for asymmetric keys in PEM format.

Note: The plugin does not support incremental scanning; each scan operation processes all keys in the specified region.