Every major cloud provider offers a key management service. They all store keys in HSMs, they all encrypt your data, and they all integrate with their respective ecosystems. But the differences matter — in pricing models, compliance certifications, multi-cloud support, and operational behavior.
This comparison covers the practical differences that affect your architecture decisions, not the marketing bullet points.
Architecture Overview
AWS KMS
- Model: Fully managed, multi-tenant HSM fleet (FIPS 140-2 Level 2 for standard keys)
- Dedicated option: AWS CloudHSM (single-tenant, FIPS 140-2 Level 3)
- Key types: Symmetric (AES-256), Asymmetric (RSA 2048-4096, ECC P-256/P-384/P-521)
- Integration: Native with 100+ AWS services (S3, EBS, RDS, Lambda, Secrets Manager, etc.)
- Multi-region: Multi-Region Keys (replicate key material across regions)
- External key store: Yes (XKS — use your own external HSM as backing store)
Azure Key Vault
- Model: Multi-tenant (Standard tier, FIPS 140-2 Level 1) or dedicated (Premium tier, FIPS 140-2 Level 2; Managed HSM, FIPS 140-2 Level 3)
- Key types: Symmetric (AES 128/192/256), Asymmetric (RSA 2048-4096, EC P-256/P-384/P-521)
- Integration: Native with Azure services + strong Microsoft 365/Entra ID integration
- Secrets management: Built-in (certificates, secrets, and keys in one service)
- BYOK: Supported (import your own key material)
- Managed HSM: Dedicated single-tenant HSM pool (FIPS 140-2 Level 3)
Google Cloud KMS
- Model: Multi-tenant (Software protection, FIPS 140-2 Level 1) or HSM-backed (FIPS 140-2 Level 3)
- Key types: Symmetric (AES-256), Asymmetric (RSA 2048-4096, EC P-256/P-384), MAC keys (HMAC-SHA256)
- Integration: Native with GCP services (GCS, BigQuery, Compute Engine, GKE)
- External key manager: Yes (EKM — keys stored in external HSM, GCP calls out for operations)
- Autokey: Automatic key creation and assignment for new resources (newest feature)
Feature Comparison
| Feature | AWS KMS | Azure Key Vault | Google Cloud KMS |
|---|---|---|---|
| FIPS Level (standard) | Level 2 | Level 1 (Standard) / Level 2 (Premium) | Level 1 (Software) / Level 3 (HSM) |
| FIPS Level (dedicated) | Level 3 (CloudHSM) | Level 3 (Managed HSM) | Level 3 (HSM protection) |
| Automatic key rotation | Annual (symmetric only) | Configurable interval | Configurable interval |
| Asymmetric key rotation | Manual (create new version) | Manual | Automatic (versioned) |
| BYOK | ✅ | ✅ | ✅ |
| External key store | ✅ (XKS) | ✅ (via Managed HSM) | ✅ (EKM) |
| Multi-region keys | ✅ (native) | ❌ (replicate manually) | ✅ (global keys) |
| Secrets management | Separate (Secrets Manager) | Built-in | Separate (Secret Manager) |
| Certificate management | Separate (ACM) | Built-in | Separate (Certificate Manager) |
| PKCS#11 support | CloudHSM only | Managed HSM only | ❌ |
| Key deletion protection | 7-30 day waiting period | Soft-delete + purge protection | Scheduled destruction (24h-120d) |
| Audit logging | CloudTrail | Azure Monitor / Diagnostic Logs | Cloud Audit Logs |
| Pricing model | Per-key + per-request | Per-key + per-operation | Per-key-version + per-operation |
Pricing Comparison
Scenario: 50 symmetric keys, 100,000 cryptographic operations/month
| Component | AWS KMS | Azure Key Vault (Standard) | Google Cloud KMS (Software) |
|---|---|---|---|
| Key storage | $50/mo (50 × $1) | $0 (no per-key charge) | $3/mo (50 × $0.06) |
| Operations | $3/mo (100K × $0.03/10K) | $0.30/mo (100K × $0.03/10K) | $0.30/mo (100K × $0.03/10K) |
| Monthly total | $53 | $0.30 | $3.30 |
Scenario: 10 HSM-backed asymmetric keys, 50,000 signing operations/month
| Component | AWS CloudHSM | Azure Managed HSM | Google Cloud HSM |
|---|---|---|---|
| Base cost | $1,168/mo (per HSM instance) | $3,287/mo (per HSM pool) | $60/mo (10 × $6/key) |
| Operations | Included | Included | $1.50/mo (50K × $0.03/10K) |
| Monthly total | $1,168 | $3,287 | $61.50 |
Key insight: For standard (software-backed) keys, Azure and GCP are dramatically cheaper than AWS. For dedicated HSM, Google Cloud HSM is cheapest (per-key pricing vs per-instance). AWS CloudHSM and Azure Managed HSM charge for the HSM instance regardless of how many keys you store.
Integration Depth
AWS KMS — Deepest AWS Integration
# S3 server-side encryption (automatic, no code changes)
aws s3 cp file.txt s3://bucket/ --sse aws:kms --sse-kms-key-id alias/my-key
# EBS volume encryption (transparent to EC2 instance)
aws ec2 create-volume --encrypted --kms-key-id alias/my-key
# RDS encryption (set at database creation)
aws rds create-db-instance --storage-encrypted --kms-key-id alias/my-key
# Lambda environment variable encryption (automatic)
# Secrets Manager encryption (automatic)
# SQS message encryption (automatic)
# 100+ services support KMS nativelyAzure Key Vault — Unified Secrets + Keys + Certs
# Store a secret
az keyvault secret set --vault-name myvault --name db-password --value "s3cr3t"
# Store a certificate (Key Vault manages the full lifecycle)
az keyvault certificate create --vault-name myvault --name my-cert \
--policy @cert-policy.json
# Encrypt with a key
az keyvault key encrypt --vault-name myvault --name my-key \
--algorithm RSA-OAEP --value $(base64 < data.bin)
# Disk encryption (Azure Disk Encryption uses Key Vault)
# SQL TDE (uses Key Vault for the TDE protector)
# App Service (references Key Vault secrets directly)Google Cloud KMS — Tight GCP + Autokey
# Encrypt data
gcloud kms encrypt --location=global --keyring=my-ring --key=my-key \
--plaintext-file=data.txt --ciphertext-file=data.enc
# GCS encryption (CMEK - Customer Managed Encryption Key)
gsutil -o "GSUtil:encryption_key=projects/p/locations/l/keyRings/r/cryptoKeys/k" \
cp file.txt gs://bucket/
# BigQuery encryption (per-table CMEK)
bq mk --table --destination_kms_key=projects/p/locations/l/keyRings/r/cryptoKeys/k \
dataset.table schema.json
# Autokey (newest): automatically creates and assigns keys to new resources
# No manual key creation needed — GCP handles it based on folder-level policyMulti-Cloud Key Management
None of the cloud KMS services work across providers natively. Your options:
Option 1: Separate Keys Per Cloud (Simplest)
AWS workloads → AWS KMS
Azure workloads → Azure Key Vault
GCP workloads → Google Cloud KMSPros: Simplest, deepest integration, lowest latency. Cons: No unified key inventory, separate audit logs, separate policies.
Option 2: External Key Store (Keep Control)
Your HSM (on-prem or third-party)
↕ API calls
AWS XKS / Azure Managed HSM / GCP EKM
↕ transparent to applications
Cloud services use keys normallyThe cloud provider calls your external HSM for every cryptographic operation. You maintain physical control of key material.
Pros: Keys never in cloud provider’s infrastructure. Single source of truth. Cons: Latency (every operation requires external call). Availability dependency on your HSM.
Option 3: Third-Party KMS (Unified Control Plane)
Fortanix SDKMS / Thales CipherTrust / HashiCorp Vault
↕ manages keys across
AWS + Azure + GCP + On-premisesPros: Single policy engine, single audit log, single inventory. Cons: Additional vendor, additional cost, additional complexity.
Compliance Considerations
| Requirement | AWS KMS | Azure Key Vault | Google Cloud KMS |
|---|---|---|---|
| FedRAMP High | ✅ (GovCloud) | ✅ (Government) | ✅ (Assured Workloads) |
| PCI DSS | ✅ | ✅ | ✅ |
| HIPAA | ✅ (BAA available) | ✅ (BAA available) | ✅ (BAA available) |
| SOC 2 | ✅ | ✅ | ✅ |
| FIPS 140-2 Level 3 | CloudHSM only | Managed HSM only | HSM protection level |
| Data residency | Per-region keys | Per-region keys | Per-region keys |
| Key non-exportability | ✅ (all keys) | ✅ (HSM keys) | ✅ (all keys) |
| Separation of duties | IAM policies | RBAC + access policies | IAM + org policies |
Decision Framework
Choose AWS KMS if:
- You’re primarily on AWS
- You need the deepest native integration (100+ services)
- Multi-region key replication is important
- You want CloudHSM for FIPS Level 3 with PKCS#11
Choose Azure Key Vault if:
- You’re primarily on Azure
- You want secrets + keys + certificates in one service
- You need Microsoft 365 / Entra ID integration
- You want the cheapest option for standard keys ($0 per key)
Choose Google Cloud KMS if:
- You’re primarily on GCP
- You want HSM-backed keys at the lowest cost ($6/key/month vs $1,168/month for CloudHSM)
- You want Autokey (automatic key management for new resources)
- You need EKM (external key manager) for hold-your-own-key scenarios
Choose a third-party solution if:
- You’re multi-cloud and need unified management
- You need PKCS#11 across all environments
- You want to avoid vendor lock-in on key material
- Compliance requires you to demonstrate key control independent of cloud provider
FAQ
Q: Can I move keys between cloud providers? A: No. Keys generated in any cloud KMS are non-exportable. You can import the same key material into multiple providers (BYOK), but once generated inside a cloud KMS, it stays there. Plan your key strategy before generating keys.
Q: Which is most secure? A: At the HSM tier (CloudHSM, Managed HSM, Cloud HSM), all three provide FIPS 140-2 Level 3 with non-extractable keys. Security differences are minimal. The real security differentiator is your IAM configuration, not the KMS itself.
Q: Do I need dedicated HSM or is standard KMS sufficient? A: Standard KMS (multi-tenant, Level 1-2) is sufficient for: application encryption, secrets wrapping, general data protection. Dedicated HSM (Level 3) is required for: CA signing keys, payment processing, government/classified workloads, and when compliance mandates Level 3.
Q: What about HashiCorp Vault vs cloud KMS? A: Different tools. Cloud KMS: managed, zero-ops, deep cloud integration, non-exportable keys. Vault: self-managed, portable, supports dynamic secrets and PKI, keys can be stored in software or backed by cloud KMS/HSM. Many organizations use both: Vault for secrets management and dynamic credentials, cloud KMS for encryption key storage.