The following table describes the APIs that you can call in different scenarios.

Category Subcategory Description API Difference
Customer master key (CMK) CMK management Manages a CMK throughout its lifecycle and queries information about a CMK. KMS API None.
Key version management Rotates CMKs and queries the versions of CMKs.
Alias management Manages an alias throughout its lifecycle and queries information about an alias.

An alias is an independent object in KMS. An alias must be bound to a unique CMK. You can set the KeyId parameter in specific operations to an alias to specify a CMK.

Cryptographic operation Uses keys to perform cryptographic operations, such as data encryption and decryption.
  • If you use Dedicated KMS to perform cryptographic operations on data, you must call the Dedicated KMS API. To perform other operations, you can call the KMS API. The Dedicated KMS API and KMS API provide similar cryptographic operations but support different data formats. The two APIs must be differently used.
  • You can call the Dedicated KMS API by using the endpoint of the virtual private cloud (VPC) to access the dedicated KMS instance. You can call the KMS API by using the address of the gateway.
Secrets Manager Secrets management Manages and protects sensitive data by using secrets and provides secret distribution and rotation capabilities. KMS API None.
Certificates Manager Certificate management Allows you to create, delete, and update a certificate, and query the information about a certificate. Allows you to generate and verify a signature.
Others Tag management Manages the tag that is associated with a resource throughout the lifecycle of the tag and queries the tags of a specified resource.
Common operations Activates KMS and queries the status of KMS and available regions.