☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS KMS (Key Management Service)/
🔷
AWS KMS – Key Types and Costs
🔷

AWS KMS – Key Types and Costs

1. AWS Owned Keys (Free)

  • Default keys used transparently by AWS services such as SSE-S3, SSE-SQS, and SSE-DynamoDB.
  • Not visible in your account and not manageable by you.

2. AWS Managed Keys (Free)

  • Automatically created and managed by AWS for specific services.
  • Appear in your account with predefined aliases like aws/rds, aws/ebs.
  • Limited customization; AWS handles rotation and policy management.

3. Customer Managed Keys (CMKs) – $1/month per key

  • Created, owned, and fully managed by you in AWS KMS.
  • Supports custom key policies, grants, and manual or automatic rotation.
  • Used when you need fine-grained control over encryption.

4. Imported Customer Keys – $1/month per key

  • Key material generated outside AWS and imported into KMS.
  • Same features as customer-managed keys.
  • Required in compliance-driven environments where key origin must be outside AWS.