KMS
Create/manage Customer master key Enable/disable CMKs Schedule CMKs for deletion Configure key policies and grants Key Material AWS managed - Default - The KM is automatically rotated every 3 years (cannot be changed). Customer managed - AWS generated KM - rotated every year automatically. Customer managed - Customer generated KM- manually rotated KM - but upto customer when they want to do rotation. Key Rotation - is accomplished by updating the backing key material. Old material is retained for decryption. Key Types Symmetric - Single key for both encrypt and decrypt operations. - Default - Best practice. Asymmetric - Public and Private key pair for encrypt and decrypt operations. Key deletion - Waiting period between 7 and 30 days before key is deleted. For external key material - wrapping algo which will be used to encrypt the KM. (CMKs) Master keys thus created has size limitation of 4 KB only. Envelope encryption - Master keys are used to generate data ...