AWS KMS is essential if you want to encrypt your data at rest within your AWS environment. It is a managed service that allows you to create, store, rotate, and delete encryption keys to enable you to protect your sensitive data on AWS. It tightly integrates with a number of AWS services, such as RDS, S3, EBS, CloudTrail, and many more, offering a seamless and secure method of implementing encryption while utilizing a centralized key management repository.
KMS is a regional service, so you must be aware of this when architecting your encryption throughout your environment. You are unable to use a KMS key from one region in another region; for example, if you used a key in us-east-1, you would not be able to use that same key in eu-west-2.
As you can imagine, controlling access to KMS must be tightly monitored and, in fact, even AWS administrators are unable to access your keys within your KMS environment. Therefore, you need to be extremely...