Key Management Service (KMS) is applicable to a wide range of scenarios. This topic describes the typical scenarios in which you can use KMS.

Typical scenarios

Role Demand Typical scenario Solution
Application developer Make sure the security of sensitive data in applications. An application developer needs to use sensitive business data and operating data in an application. The application developer wants to encrypt the sensitive data and use KMS to protect the encryption keys. Encrypt and protect sensitive data
IT operations and maintenance (O&M) engineer Provide a secure environment for IT facilities deployed in the cloud. The IT infrastructure in the cloud is shared with other tenants. As a result, an IT O&M engineer cannot establish physical security boundaries in the cloud like in traditional data centers. However, the IT O&M engineer still needs to build a trusted, visible, and controllable security mechanism for the cloud computing and storage hosting environment. Control the cloud computing and storage environment
Chief security officer (CSO) Make sure the security and compliance of information systems. A CSO needs to meet key management requirements in some compliance standards and use cryptographic technologies to meet more requirements for application and information system security. Help information systems meet compliance requirements
Independent service vendor (ISV) Use third-party encryption to provide security capabilities for a service. An ISV is asked by customers to encrypt and protect user data in a service.
  • The ISV wants to focus on developing business features rather than implementing key management and distribution features.
  • Customers hope that the ISV provide controllable and reliable capabilities to encrypt and protect data.
Provide a third-party encryption solution for ISVs

Encrypt and protect sensitive data

You can use data encryption to protect sensitive data generated or stored in the cloud. Alibaba Cloud provides multiple ways to encrypt and protect sensitive data.

Encryption method Description Related topic
Envelope encryption The envelope encryption feature stores your customer master keys (CMKs) in KMS. You only need to deploy enveloped data keys (EDKs). You can use KMS to decrypt the EDKs and use the returned plaintext data keys (DKs) to encrypt or decrypt your local business data.

You can also use Encryption SDK in which the envelope encryption feature is encapsulated to encrypt data.

Direct encryption You can call the Encrypt API operation of KMS to directly encrypt sensitive data by using CMKs. Use a KMS CMK to encrypt and decrypt data online
Server-side encryption (SSE) If you use Alibaba Cloud services to store data, you can use the SSE feature of these services to encrypt and protect data in an effective way. For example, you can use the SSE feature of Object Storage Service (OSS) to protect buckets that store sensitive data or use transparent data encryption (TDE) to protect tables that store sensitive data. Alibaba Cloud services that can be integrated with KMS
Secrets Manager-based encryption You can host sensitive data, such as passwords, tokens, SSH keys, and AccessKeys, in Secrets Manager and manage them by using a secure method. You can also dynamically rotate secrets to prevent data leaks.

Control the cloud computing and storage environment

You can integrate KMS with other Alibaba Cloud services to use the SSE feature. This way, you can control the cloud computing and storage environment, and isolate and protect your computing and storage resources in a distributed multi-tenant system. You can control the distributed computing and storage environment by managing the lifecycle, usage status, and access control policies for CMKs in KMS. You can also integrate KMS with ActionTrail to check and audit key usage in KMS. KMS is typically used in the scenarios that are described in the following table to control the cloud computing and storage environment.

Scenario Description Related topic
Elastic Compute Service (ECS) After you authorize ECS to use KMS keys, ECS can encrypt and protect system disks, data disks, snapshots, and images. For example, to start an ECS instance, you must decrypt both the system disk and data disk. You must encrypt snapshots that are created from encrypted disks. These limits enhance the security of ECS instances and storage resources by using KMS. Encryption overview
Persistent storage The persistent storage services provided by Alibaba Cloud, such as ApsaraDB RDS, OSS, and Apsara File Storage NAS, ensure data storage reliability by using the distributed and redundancy method. When KMS is integrated with these services to encrypt data before the data is stored, data redundancy in distributed systems becomes controllable and visible. For any read requests, data must first be decrypted by KMS. N/A
Other computing and storage scenarios Multiple Alibaba Cloud services support integration with KMS. Alibaba Cloud services that can be integrated with KMS

Help information systems meet compliance requirements

Enterprises or organizations may encounter the following situations when they evaluate the compliance requirements for cryptographic technologies:

  • Compliance regulations require that information systems be protected by cryptographic technologies and that the cryptographic technologies meet relevant technical standards and security specifications.
  • Although the use of cryptographic technologies is not mandatory in compliance specifications, it conduces to the compliance process. For example, the use of cryptographic technologies helps you obtain higher scores in scoring rules.

KMS provides the capabilities that are described in the following table to help enterprises meet compliance requirements.

Feature Description Related topic
Cryptographic compliance KMS supports managed hardware security modules (HSMs). The managed HSMs are third-party hardware devices that are certified by regulatory agencies. They run in an approved security mode. The managed HSMs have passed the certification by State Cryptography Administration (SCA) and FIPS 140-2 Level 3 validation.
Key rotation KMS supports automatic rotation of encryption keys. Enterprises can customize rotation policies to meet data security specifications and best practices.
Secret rotation You can use Secrets Manager to meet the rotation requirement for secrets such as passwords and AccessKeys. In addition, you can enjoy effective and reliable emergency response to data leaks. Rotate generic secrets
Data confidentiality KMS allows you to encrypt and protect personal privacy data. This help you prevent privacy leaks when your system are attacked and meet the requirements of laws and regulations related to data protection. N/A
Data integrity KMS is integrated with Log Service and ActionTrail. You can use KMS to encrypt logs of Alibaba Cloud services to prevent the logs from being tampered with. In addition, KMS ensures the confidentiality and integrity of log data. N/A
Authentication and access control KMS is integrated with Resource Access Management (RAM) to implement centralized authentication and authorization. Use RAM to control access to KMS resources
Key usage auditing KMS stores all API call records in ActionTrail, which allows you to perform compliance auditing on key usage. Use ActionTrail to query KMS event logs

Provide a third-party encryption solution for ISVs

As an ISV, you can integrate KMS as a third-party data security solution to protect the data of customers in your services. After you allow customers to manage keys in KMS and authorize ISV services to use these keys, KMS acts as a third-party security protection system between the ISV services and customers. Customers and ISV services can work together to protect system security.

Role Description Related topic
Customer administrator An administrator generates keys in KMS and manages their lifecycle. The administrator can use RAM to manage the permissions on keys. The administrator can allow ISV services to use specified keys in KMS by using methods such as resource authorization across Alibaba Cloud accounts. Use a RAM role to grant permissions across Alibaba Cloud accounts
ISV service An ISV service uses the specified keys to encrypt and protect data by integrating KMS API. List of operations by function
Customer auditor An auditor uses ActionTrail to audit the usage records of keys in KMS. Use ActionTrail to query KMS event logs