AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Chinese government-approved hardware security modules to protect the security of your keys. The service is designed so that no one, including KMS service operators, can retrieve your plaintext master keys from the service. You control the use and management of these keys used to access encrypted data across AWS services and in your own applications.