AWS KMS Encryption with Spring Boot
Learn how to integrate AWS Key Management Service (KMS) with Spring Boot for secure encryption and decryption. This guide covers KMS architecture, Customer Managed Keys (CMKs), envelope encryption, AWS SDK integration, IAM permissions, S3/RDS encryption, and production best practices.
Introduction
Every enterprise application handles sensitive data.
Examples include:
- Customer Personally Identifiable Information (PII)
- Credit card details
- Aadhaar/Social Security Numbers
- API Keys
- JWT Signing Keys
- Database Passwords
- Medical Records
- Financial Transactions
Simply storing this information in plain text is a major security risk.
AWS Key Management Service (KMS) provides a secure, managed way to create, manage, rotate, and use encryption keys.
In this article, we will learn how to integrate AWS KMS with Spring Boot to encrypt and decrypt sensitive application data securely.
Learning Objectives
After completing this article, you will understand:
- What is AWS KMS?
- Symmetric vs Asymmetric Keys
- Customer Managed Keys (CMKs)
- AWS Managed Keys
- Envelope Encryption
- Encryption at Rest
- Encryption in Transit
- Spring Boot Integration
- AWS SDK for Java
- Encrypt & Decrypt APIs
- IAM Permissions
- Production Best Practices
Why Encryption?
Without encryption:
Customer Data
│
▼
Database
If the database is compromised, the attacker can read all sensitive information.
With encryption:
Customer Data
│
▼
Encrypted Data
│
▼
Database
Even if someone gains database access, the encrypted values remain unreadable without the correct encryption key.
What is AWS KMS?
AWS Key Management Service (KMS) is a managed service that allows you to:
- Create encryption keys
- Encrypt data
- Decrypt data
- Rotate keys
- Control access using IAM
- Audit usage with CloudTrail
KMS never exposes your encryption keys in plaintext.
High-Level Architecture
flowchart LR
APP[Spring Boot]
IAM[IAM Role]
KMS[AWS KMS]
DB[(Amazon Aurora)]
APP --> IAM
IAM --> KMS
APP --> DB
Enterprise Architecture
flowchart TD
USERS[Users]
ALB[Application Load Balancer]
APP[Spring Boot]
IAM[IAM Role]
KMS[AWS KMS]
RDS[(Amazon Aurora)]
S3[(Amazon S3)]
CW[CloudWatch]
USERS --> ALB
ALB --> APP
APP --> IAM
IAM --> KMS
APP --> RDS
APP --> S3
APP --> CW
AWS KMS Components
| Component | Description |
|---|---|
| KMS Key | Encryption Key |
| Alias | Friendly Name |
| Key Policy | Controls Access |
| IAM Policy | User/Role Permissions |
| CloudTrail | Audit Logs |
| Envelope Encryption | Encrypt Data Keys |
Types of KMS Keys
AWS supports:
- AWS Managed Keys
- Customer Managed Keys (CMK)
- AWS Owned Keys
AWS Managed Key
Automatically created by AWS.
Example:
aws/s3
aws/rds
aws/ebs
Simple to use.
Limited customization.
Customer Managed Key (CMK)
Created and managed by you.
Supports:
- Key rotation
- IAM policies
- Key aliases
- Cross-account access
- Custom permissions
Recommended for enterprise applications.
Symmetric vs Asymmetric Keys
| Symmetric | Asymmetric |
|---|---|
| Same key encrypts & decrypts | Public/Private key pair |
| Faster | Slower |
| Used most often | Digital Signatures |
| Recommended for applications | Special use cases |
Most Spring Boot applications use Symmetric Keys.
Encryption Types
Encryption at Rest
Data stored in:
- S3
- Aurora
- DynamoDB
- EBS
- OpenSearch
is encrypted.
Encryption in Transit
Data moving between:
Browser
↓
Spring Boot
↓
AWS Services
uses HTTPS/TLS.
Application-Level Encryption
Spring Boot encrypts data before storing it in the database.
Recommended for:
- SSN
- PAN
- Credit Card
- API Keys
Envelope Encryption
Instead of encrypting large files directly using KMS:
Data
↓
Generate Data Key
↓
Encrypt Data
↓
Store Encrypted Data Key
Much faster.
AWS uses this approach internally.
Encryption Flow
flowchart LR
APP[Spring Boot]
KMS[KMS Key]
DATA[Encrypt Data]
DB[(Database)]
APP --> KMS
KMS --> DATA
DATA --> DB
Step 1 Create KMS Key
AWS Console
↓
Key Management Service
↓
Create Key
Choose
Symmetric
Purpose
Encrypt and Decrypt
Step 2 Configure Key
Alias
alias/codewithvenu-key
Description
Encryption key for Spring Boot applications
Step 3 Assign IAM Permissions
Attach policy:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource":"*"
}
]
}
Production environments should scope Resource to the specific KMS key ARN rather than using "*".
Step 4 Spring Boot Dependencies
<dependency>
<groupId>software.amazon.awssdk</groupId>
<artifactId>kms</artifactId>
</dependency>
application.yml
aws:
region: us-east-1
Configure KMS Client
@Configuration
public class KmsConfig {
@Bean
public KmsClient kmsClient() {
return KmsClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(DefaultCredentialsProvider.create())
.build();
}
}
Encrypt Data
EncryptRequest request =
EncryptRequest.builder()
.keyId("alias/codewithvenu-key")
.plaintext(SdkBytes.fromUtf8String("Sensitive Data"))
.build();
EncryptResponse response =
kmsClient.encrypt(request);
Encrypted result:
AQICAHg...
Decrypt Data
DecryptRequest request =
DecryptRequest.builder()
.ciphertextBlob(response.ciphertextBlob())
.build();
DecryptResponse decryptResponse =
kmsClient.decrypt(request);
String value =
decryptResponse.plaintext().asUtf8String();
Output
Sensitive Data
REST API Example
Encrypt
POST
/api/encrypt
Input
{
"text":"CodeWithVenu"
}
Output
{
"encrypted":"AQICAH..."
}
Decrypt
POST
/api/decrypt
Input
{
"encrypted":"AQICAH..."
}
Output
{
"text":"CodeWithVenu"
}
Spring Boot Encryption Flow
flowchart LR
USER[Client]
API[Spring Boot API]
KMS[AWS KMS]
DB[(Database)]
USER --> API
API --> KMS
API --> DB
Encrypt Database Columns
Example:
Before Save
SSN
↓
Encrypt
↓
Database
Read
Database
↓
Decrypt
↓
Response
S3 Server-Side Encryption
KMS works with Amazon S3.
Upload File
↓
S3
↓
KMS Encryption
RDS Encryption
Aurora and RDS support encryption using KMS.
Benefits:
- Transparent encryption
- No application changes
- Backup encryption
- Snapshot encryption
EBS Encryption
EC2 volumes can use KMS.
Automatically encrypts:
- Volumes
- Snapshots
Secrets Manager Integration
Secrets Manager stores:
- Password
Encrypted using
↓
AWS KMS
CloudTrail Integration
Every KMS operation is logged.
Examples:
- Encrypt
- Decrypt
- Generate Data Key
- Key Rotation
Useful for auditing.
Key Rotation
Enable automatic rotation.
Every 365 Days
AWS rotates the key automatically while maintaining compatibility with encrypted data.
Multi-Region Keys
KMS supports Multi-Region Keys.
Useful for:
- Disaster Recovery
- Multi-region applications
- Global deployments
Monitoring
Monitor:
- Encrypt API calls
- Decrypt API calls
- Failed requests
- Access Denied
- Key usage
- CloudTrail events
Common Errors
AccessDeniedException
Cause:
IAM role lacks permission.
Fix:
Grant:
kms:Encrypt
kms:Decrypt
InvalidCiphertextException
Cause:
Wrong key.
Encrypted using different KMS key.
Disabled Key
Key is disabled.
Enable the KMS key.
Key Pending Deletion
Application cannot decrypt.
Restore or use another key.
Production Architecture
flowchart TD
USERS[Users]
ROUTE53[Route53]
ALB[Application Load Balancer]
APP1[Spring Boot AZ1]
APP2[Spring Boot AZ2]
IAM[IAM Role]
KMS[AWS KMS]
AURORA[(Aurora)]
S3[(Amazon S3)]
CW[CloudWatch]
USERS --> ROUTE53
ROUTE53 --> ALB
ALB --> APP1
ALB --> APP2
APP1 --> IAM
APP2 --> IAM
IAM --> KMS
APP1 --> AURORA
APP2 --> AURORA
APP1 --> S3
APP2 --> S3
APP1 --> CW
APP2 --> CW
Best Practices
- Use Customer Managed Keys for production
- Enable automatic key rotation
- Use IAM Roles instead of access keys
- Apply least privilege IAM policies
- Encrypt sensitive fields before storing
- Use HTTPS for all API communication
- Use KMS with Secrets Manager
- Enable CloudTrail auditing
- Use aliases instead of raw Key IDs
- Avoid logging decrypted values
- Monitor KMS usage with CloudWatch
- Use Multi-Region Keys for disaster recovery where appropriate
Developer Checklist
Before production deployment:
- KMS Key created
- Alias configured
- IAM Role attached
- Least privilege policy applied
- Key rotation enabled
- Spring Boot configured
- HTTPS enabled
- CloudTrail enabled
- Sensitive fields encrypted
- Secrets Manager integrated
Interview Questions
What is AWS KMS?
AWS Key Management Service is a managed service for creating, storing, managing, and using encryption keys.
What is the difference between AWS Managed Keys and Customer Managed Keys?
AWS Managed Keys are created and managed automatically by AWS.
Customer Managed Keys provide full control over permissions, rotation, aliases, and lifecycle.
What is Envelope Encryption?
Envelope Encryption uses a data key to encrypt application data while KMS protects the data key itself, improving performance for large datasets.
Why should Spring Boot use AWS KMS?
To securely encrypt sensitive application data without managing encryption keys manually.
What AWS services integrate with KMS?
- Amazon S3
- Amazon Aurora
- Amazon RDS
- Amazon EBS
- AWS Secrets Manager
- Amazon DynamoDB
- Amazon OpenSearch
- AWS Lambda
Does KMS store application data?
No.
KMS stores and manages encryption keys. Your application data remains in services such as S3, Aurora, or DynamoDB.
Summary
In this article, we explored AWS Key Management Service (KMS) integration with Spring Boot.
We covered:
- KMS fundamentals
- Encryption concepts
- Customer Managed Keys
- AWS Managed Keys
- Symmetric encryption
- Envelope encryption
- AWS SDK integration
- Encrypt and decrypt APIs
- Database encryption
- S3 and RDS encryption
- Key rotation
- Monitoring
- Production best practices
AWS KMS is a foundational security service for enterprise Spring Boot applications. When combined with IAM Roles, Secrets Manager, HTTPS, and encryption at rest, it provides a comprehensive strategy for protecting sensitive information throughout its lifecycle.
Comments
Share a question, correction, or practical insight about this article.
Checking login status...
Loading approved comments...