Encryption is the process of converting plaintext into ciphertext using a key. We can get the original plain text from the ciphertext using the same key, and this is referred to as decryption. AWS Key Management Service (KMS) helps us create and manage encryption keys while making use of shared hardware security modules (HSMs). CloudHSM is another service within AWS that allows us to manage encryption keys but uses dedicated HSMs for enhanced security. We will look at recipes for working with both AWS KMS and AWS CloudHSM within this chapter.

In this chapter, we will cover the following recipes:

• Creating keys in KMS
• Using keys with external key material
• Rotating keys in KMS
• Granting permissions programmatically with grants
• Using key policies with conditional keys
• Sharing customer-managed keys across accounts
• Creating a CloudHSM cluster
• Initializing and activating a CloudHSM cluster