← Glossary·Security

Key Management Service (KMS)

SOC 2ISO 27001HIPAAPCI DSS

Managed service for creating, rotating, and authorising use of cryptographic keys.

A Key Management Service generates, stores, rotates, and authorises use of cryptographic keys. Managed offerings (AWS KMS, GCP Cloud KMS, Azure Key Vault) back keys with FIPS 140-2 Level 2 or 3 HSMs and provide audit logs of every key use.

Why it matters
Storing keys alongside encrypted data — particularly in environment variables or `.env` files — fails almost every framework's key-management control.

Related terms

Encryption at Rest
Cryptographic protection of stored data — typically AES-256 with KMS-managed keys.
Encryption in Transit
TLS protection of data moving across networks — TLS 1.2+ is the floor; TLS 1.3 preferred.
Tokenisation
Replacing sensitive data (typically PAN) with a non-sensitive surrogate value (token).

Does your program actually cover Key Management Service (KMS)?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary