In an early demonstration when we created a new customer-managed CMK, there was an option at step 1 of configuring your key to select the key material origin under the advanced options. In the demonstration, I selected KMS, in order to use the key material generated by KMS:
However, to import your own key material into a new customer-managed CMK, you can select External for the Key material origin option:
When doing so, you must also select the checkbox to confirm that you understand the security, availability, and durability implications of using an imported key.
After repeating the same steps from the earlier demonstration, you will then be asked to download the public key and import a token for your CMK. This is required in order to perform two functions:
- Firstly, the public key is used to encrypt your own key material before uploading it to KMS.
- Next, KMS will then decrypt it using the private key associated with that same public key. ...