The following table describes the APIs that you can call in different scenarios.

Category Subcategory Description API Difference
Customer master key (CMK) CMK management Manages a CMK throughout its lifecycle and queries information about a CMK. KMS API None.
CMK version management Rotates a CMK and queries information about a CMK version.
Alias management Manages an alias throughout its lifecycle and queries information about an alias.

An alias is an independent object in KMS. An alias must be bound to a unique CMK. You can set the KeyId parameter in specific operations to an alias to specify a CMK.

Cryptographic operation Uses keys to perform cryptographic operations, such as data encryption and decryption.
  • If you use Dedicated KMS to perform cryptographic operations on data, you must call the Dedicated KMS API. To perform other operations, you can call the KMS API. The Dedicated KMS API and the KMS API provide similar cryptographic operations but support different data formats. The two APIs cannot be interchangeably used.
  • You can call KMS API by using the KMS gateway. You can call Dedicated KMS API by using the private gateway of Dedicated KMS .
Secrets Manager Secrets management Manages, protects, distributes, and rotates secrets. KMS API None.
Secret query Queries a secret value.
  • You can call the Dedicated KMS API or KMS API to query secret values. Compared with the KMS API, the Dedicated KMS API provides lower latency, higher QPS, and higher stability.
  • You can call KMS API by using the KMS gateway. You can call Dedicated KMS API by using the private gateway of Dedicated KMS .
Certificates Manager Certificate management Creates, deletes, and updates a certificate, queries information about a certificate, and generates and verifies a signature. KMS API None
Others Tag management Manages the tag that is associated with a resource throughout the lifecycle of the tag and queries the tags of a specified resource.
Common operations Activates KMS and queries the status of KMS instances and available regions.