Much like AWS-owned CMKs, AWS-managed keys are managed by AWS. However, you are able to view the keys that are being used to encrypt your data from within the AWS Management Console, in addition to being able to audit and track their usage and view their key policies. However, because they are managed by AWS, you are not able to control their rotation frequency.
These keys are used by AWS services that integrate with KMS directly and are created by the service when you first add or configure encryption using that service within each region, since you will recall that KMS is a regional service. These keys can only be used by those services and cannot be integrated into your own cryptographic operations.
Here are examples of AWS-managed CMKs:
- The first time you select object encryption using Amazon S3's server-side encryption using KMS-managed keys (SSE-KMS), you can either select a customer-managed CMK, or there will be an AWS-managed CMK identified by aws/s3 in...