Alibaba Cloud Key Management Service (KMS) provides secure and qualified key hosting and cryptography services to help you encrypt and protect sensitive data assets with keys. You can use KMS to encrypt data in various cloud services and control the distributed computing and storage environment inside cloud services. KMS can be integrated with multiple Alibaba Cloud services, such as with ActionTrail to provide key usage logs. KMS also allows you to configure custom key rotation policies. KMS provides managed HSMs that are tested and certified by State Cryptography Administration (SCA) or that have passed FIPS 140-2 Level 3 validation to help you meet the regulatory compliance requirements for enterprises or industries.
- Full Key Hosting KMS provides key hosting and cryptography services. Alibaba Cloud fully manages the cryptographic infrastructure to ensure the availability, security, and reliability of services and facilities. You focus on management tasks such as key lifecycle and permission policies, as well as data encryption, data decryption, and digital signature verification.
- Availability, Reliability, and Elasticity KMS builds multi-zone redundant cryptographic computing capabilities in each region to ensure that requests sent to KMS can be processed with low latency. You can create as many keys in KMS across multiple regions based on your needs, without having to scale the underlying infrastructure. You can also use BYOKs to keep key copies for higher persistence.
- Security and Compliance KMS has passed strict security design and verification to ensure stringent protection of your keys on the cloud. You can use managed HSMs that are tested and certified by State Cryptography Administration (SCA) or that have passed FIPS 140-2 Level 3 validation, configure custom key rotation policies, manage roles and permissions in RAM, and track key usage in ActionTrail. KMS helps you quickly meet regulatory and compliance requirements. If you export key usage logs from ActionTrail to OSS or Log Service, KMS can further be integrated with the SIEM solution to obtain additional analysis and threat detection capabilities.
- Data Encryption for Integrated Cloud Services KMS is integrated with multiple Alibaba Cloud services such as ECS, ApsaraDB for RDS, OSS, Apsara File Storage NAS, and MaxCompute. You can use keys in KMS to encrypt data in these services, which helps you maintain control over the distributed computing and storage environment. You only need to pay for key management. You do not need to implement complex encryption capabilities. You can also transfer the data encryption work that was originally implemented in application systems to the cloud by using server side encryption (SSE) methods such as OSS SSE and ApsaraDB for RDS TDE. KMS and RAM work together to control SSE.
- Custom Encryption and Digital Signatures KMS abstracts the cryptographic technology and HSM interfaces to help you implement custom data encryption protection through simple APIs. This combines security and compliance requirements with business systems and further reduces the risks of attacks against sensitive data from malicious users. You can also use asymmetric key pairs to implement digital signatures to protect the integrity of key data or messages.
- Cost-effectiveness With KMS, you only pay for the resources that you use. You do not need pay for the initial cost of HSMs, as well as the cost of operating, maintaining, repairing, and replacing HSMs. KMS reduces the R&D and maintenance costs for user-created key management facilities.