Skip to main content

AWS Key Management Service (KMS)

Overview

The AWS KMS Module provides a reusable and scalable way to provision and manage AWS Key Management Service (KMS) keys using Terraform.
It abstracts the complexity of configuring encryption keys and related policies, enabling developers to define secure key management infrastructure with minimal effort while following AWS best practices.

This module supports both resource creation and data sources for managing KMS keys, aliases, and policies in a consistent and modular way.

Features

  • 🚀 Reusable & Modular – Predefined structure for resources and data modules.
  • 🔐 Security Best Practices – Supports key policies, IAM integration, and fine-grained access control.
  • 🔑 Encryption at Scale – Manage encryption keys for S3, EBS, RDS, Lambda, and more.
  • 📜 Automatic Rotation – Enable key rotation to enhance security posture.
  • 🧩 Extensible – Easily integrates with other Terraform modules and AWS services.
  • 🛡 Compliance Ready – Enforce encryption standards required for audits and regulations.

Core Concepts

  1. Resources Module

    • Creates and manages KMS keys and related configurations.
    • Includes support for:
      • Customer-managed keys (CMKs)
      • Key policies and grants
      • Aliases for simplified referencing
      • Automatic key rotation

  2. Data Module

    • Fetches information about existing KMS keys and aliases.
    • Useful for referencing key attributes and integrating with other infrastructure components.

  3. Policy Management

    • Supports defining custom key policies for fine-grained IAM control.
    • Provides flexibility to delegate access securely across users, services, and accounts.

  4. Separation of Concerns

    • resources/ handles KMS key creation and configuration.
    • data/ is focused on reading and referencing existing KMS keys.
    • This separation ensures clarity, reusability, and modular design.

Sample Usage

# DEPLOY ANANTA CLOUD'S KMS MODULE

module "kms_key" {
  source = "github.com/anantacloud/terraform-aws-kms-module/modules/resources"

  # ==========================
  # REQUIRED VARIABLES
  # ==========================
  description = "KMS key for my app"
  enable_key_rotation = true

  # ==========================
  # OPTIONAL VARIABLES
  # ==========================
  deletion_window_in_days = 30
  key_usage               = "ENCRYPT_DECRYPT"
  customer_master_key_spec = "SYMMETRIC_DEFAULT"

  tags = {
    Environment = "dev"
    Project     = "my-app"
  }
}

Required

NameDescriptionTypeExample
descriptionDescription of the KMS keystring"KMS key for my app"
enable_key_rotationEnable automatic rotation of the KMS keybooltrue

Optional

NameDescriptionTypeDefault
deletion_window_in_daysWaiting period for scheduled KMS key deletionnumber30
key_usageThe cryptographic operations (e.g. ENCRYPT_DECRYPT)string"ENCRYPT_DECRYPT"
customer_master_key_specType of KMS key (e.g., SYMMETRIC_DEFAULT)string"SYMMETRIC_DEFAULT"
tagsAdd custom tags to the KMS keymap{}