What

KMS stands for Key Management Service

Some Info

1. Able to audit key use in cloudtrail
2. Charged by API call and management fee.

Key Type

1. Manager
   1. AWS Managed Keys -> AWS Managed, Free
   2. Customer Managed Keys -> Customer Managed, $1 per month
   3. Customer Managed Keys Imported -> Customer Managed, $1 per month
2. Encyption
3. Symmetrc (AES-256)
4. Asymmtric (RSA/ECC)

Key Policy

1. Specify who can access the keys. Useful for cross account architecture.

Auto Rotation

1. AWS managed keys always have auto rotate on, with 1 year interval
2. Customer managed keys has to open auto rotation manually, with 1 year interval
3. Customer Imported Keys/CloudHSM cannot auto rotate.