KMS CMK Key Types

Customer managed CMKs

  • Customer managed CMKs are CMKs in your AWS account that you create, own, and manage.

  • You have full control over these CMKs, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, etc.

  • You can use your customer managed CMKs in cryptographic operations and audit their use in AWS CloudTrail logs.

AWS managed CMKs

  • AWS managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an AWS service that is integrated with KMS.

  • Some AWS services support only an AWS managed CMK. Others use an AWS owned CMK or offer you a choice of CMKs.

  • You can view the AWS managed CMKs in your account, view their key policies, and audit their use in CloudTrail logs.

  • You cannot manage these CMKs, rotate them, or change their key policies.

  • You cannot use AWS managed CMKs in cryptographic operations directly; the service that creates them uses them on your behalf.

AWS owned CMKs

  • AWS owned CMKs are a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts.

  • Although AWS owned CMKs are not in your AWS account, an AWS service can use its AWS owned CMKs to protect the resources in your account.

  • You do not need to create or manage the AWS owned CMKs.

  • The key rotation strategy for an AWS owned CMK is determined by the AWS service that creates and manages the CMK.

PreviousManaging access to KMS CMKsNextRotating KMS CMKs

Last updated

Was this helpful?