|Application and website developers
||Application and website developers need to use keys and certificates to encrypt data
and sign signatures. They need a secure and independent key management service which
can enable their applications to securely access keys at any place. They want to keep
plaintext keys confidential.
||KMS uses the envelope encryption mechanism. Customer master keys (CMKs) are stored
in KMS. Only ciphertext data keys are installed on user servers. When a server wants
to decrypt a data key, it only needs to call the KMS service.
||Service providers need to encrypt and protect user data used in their services. Service
providers want to focus on developing business functions. They do not want to spend
additional time and costs in developing key management and distribution functions.
In addition, customers want the data encryption and protection functions provided
by service providers to be manageable and reliable.
- Administrators (users): use KMS to generate keys and manage the lifecycle of keys,
and use Resource Access Management (RAM) to manage access permissions to keys.
- Service providers: integrate the KMS API into their services and use user-specified
keys to encrypt data.
- Auditors (users): use ActionTrail to audit activities of accessing keys managed in
|Chief security officers (CSOs)
||CSOs want their key management services to comply with the security requirements and
regulations of their enterprises. They want to implement key usage authorization.
All key usage activities must be audited.
- KMS provides managed Hardware Security Modules (HSMs). Managed HSMs are authority-certified
third-party devices running in an approved security mode. You can use managed HSMs
to generate keys, or import keys to managed HSMs to protect the keys.
- KMS is integrated with Resource Access Management (RAM) to implement unified authentication