Why architecture matters here

KMS failures include deleted keys (data lost), throttling under load, and cross-account grant sprawl. Architecture matters because envelope + grants + audit define both cost and safety.

Advertisement

The architecture: every piece explained

The top strip is basics. Application. CMK / KMS key. Envelope encryption via GenerateDataKey. Key policy + grants.

The middle row is variants. Aliases + rotation. Multi-Region keys. CloudHSM. CloudTrail.

The lower rows are ops. Quotas + throttling. Cost. Ops — deletion delay + break-glass + BYOK.

AWS KMS — CMKs + envelope + grants + audit + multi-regionmanaged encryption at the AWS boundaryApplicationencrypt/decryptCMK / KMS keySYMMETRIC / ASYMMETRICEnvelope encryptionGenerateDataKeyKey policy + grantswho can useAliases + rotationannual autoMulti-Region keyssame materialCloudHSMcustom key storeCloudTrailevery use auditedQuotas + throttlingAPI TPS limitsCostrequests + keysOps — deletion delay + break-glass + BYOKrotateregionalcomplianceauditthrottlebudgetbudgetoperateoperate
AWS KMS + envelope + grants + audit.
Advertisement

End-to-end flow

End-to-end: app calls GenerateDataKey. Encrypts data with plaintext key locally; stores encrypted data key next to ciphertext. On read, calls Decrypt on data key; decrypts data locally. Rotation issues new CMK version; old ciphertext still readable. Audit trail in CloudTrail.