AWS KMS: CMK vs AWS Managed Keys

AWS KMS Key Comparison

Customer Managed Keys (CMK) vs. AWS Managed Keys

The Ingredients of a Key

AWS Managed Keys

  • Created automatically by AWS services (S3, EBS, RDS).
  • Identified by the format: aws/service-name.
  • Free of charge (monthly fee waived).
  • Rotation: Automatically every 1,095 days (3 years).

Customer Managed Keys

  • Created, owned, and managed by you.
  • Full control over Key Policies and IAM roles.
  • Cost: $1/month per key + API usage.
  • Rotation: Optional, every 365 days (configurable).

Management Lifecycle Process

How control levels vary across the lifecycle

CREATION
POLICIES
ROTATION
DELETION
AWS MANAGED: Limited visibility, AWS-defined policies, Automatic 3-yr rotation CUSTOMER MANAGED: Full control, Custom policies, Scheduled deletion & rotation

Visibility

AWS Managed Keys are visible in the KMS console but cannot be modified. CMKs give you 100% auditability.

Permissions

You cannot change the key policy of an AWS managed key. CMKs allow granular IAM and Key Policy combos.

Use Case

Use AWS Managed for simplicity. Use CMKs for compliance, cross-account access, and custom rotation.

Deletion

AWS Managed keys cannot be deleted. CMKs can be scheduled for deletion (7-30 days waiting period).

© Educational Visualization | AWS Security Best Practices | KMS Mastery Guide

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top