# Access a KMS-Encrypted Secret

Your Apono connector can read AWS secrets encrypted with Key Management Service (KMS). KMS-encrypted secrets offer several benefits:

* Enhance security with strong encryption
* Easily manage access to secrets using Identity Access Management (IAM) and KMS key policies
* Record who has accessed your secrets, and when, with KMS' built-in auditing
* Meet regulatory and compliance requirements by leveraging KMS encryption for sensitive data

{% hint style="info" %}
For more information on KMS encryption, see [Amazon’s documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html).
{% endhint %}

***

### Prerequisite

<table><thead><tr><th width="213">Item</th><th>Description</th></tr></thead><tbody><tr><td><strong>AWS secret</strong></td><td>Credential information used for authentication and authorization within AWS services<br><br><a href="https://docs.apono.io/docs/creating-secrets-in-aws-secret-store">Create an AWS secret</a>.</td></tr></tbody></table>

***

### Access a KMS-encrypted secret

<figure><img src="https://1094436629-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fv6MBfUGvblSdAz31yJXm%2Fuploads%2Fgit-blob-b363ba876782f63b72278c9518d9189f9761fd99%2FEncrypt-KMS-secret-1.png?alt=media" alt="" width="563"><figcaption></figcaption></figure>

Follow these steps to enable your Apono connector to read a KMS-encrypted secret:

1. From the KMS main navigation, click **Customer managed keys**. A table appears with all self-managed keys.
2. Select the key of an Apono-connected secret. The key configuration page appears.
3. Under the **Tags** tab, click **Add tag**. A key-value editor appears.
4. Add the following tag to your KMS encryption key:

   <table><thead><tr><th width="243">Key</th><th>Value</th></tr></thead><tbody><tr><td><em>apono-connector-access</em></td><td><em>true</em></td></tr></tbody></table>
5. Click **Save**.

Your Apono connector can now read your AWS secret with KMS.