AWS KMS Key Management: Customer Managed vs AWS Managed Keys, Key Policy Writing

Key Takeaway: KMS Key Type Selection

In most cases, AWS Managed Keys are sufficient. Choose Customer Managed Keys if you need key policy modification, key rotation control, or cross-account access.

Comparison at a Glance

Comparison	Customer Managed Key	AWS Managed Key	AWS Owned Key
Key Policy Control	Full control	Read-only	No access
Key Rotation Control	Optional	Automatic (1 year)	AWS managed
CloudTrail Audit	Yes	Yes	No
Cross-Account Sharing	Yes	No	No
Monthly Cost	$1/key	Free	Free
API Request Cost	Yes	Yes	No

Exam Tip

Exam Essential: "Key policy modification" or "cross-account access" → Customer Managed Key required. "Minimum cost" → AWS Managed Key or AWS Owned Key

Understanding KMS Key Types

AWS KMS provides three types of keys.

┌─────────────────────────────────────────────────────────────┐
│                    AWS KMS Key Types                         │
├─────────────────┬─────────────────┬─────────────────────────┤
│ Customer Managed│ AWS Managed Key │      AWS Owned Key      │
│     Key (CMK)   │  (aws/service)  │                         │
├─────────────────┼─────────────────┼─────────────────────────┤
│ • User created  │ • AWS service   │ • AWS internal use      │
│ • Full control  │   auto-creates  │ • Not in customer acct  │
│ • $1/key/month  │ • Read-only     │ • Free                  │
│ • Flexible rot. │ • Auto rotation │ • Transparent encrypt   │
└─────────────────┴─────────────────┴─────────────────────────┘

Customer Managed Keys

KMS keys that you create, own, and manage yourself.

User
   │
   ├── Create key (CreateKey)
   │
   ├── Write/modify key policy
   │
   ├── Enable/disable
   │
   ├── Configure key rotation
   │
   ├── Manage tags/aliases
   │
   └── Schedule deletion (7-30 day wait)

Feature	Description
Identifier	`DescribeKey` `KeyManager` = `CUSTOMER`
Control Level	Full control over key policy, IAM policy, grants
Rotation	Manual or automatic (1 year) selectable
Cost	$1/key/month + API request cost
CloudTrail	All usage auditable

When Suitable:

Need to modify key policies directly
Need cross-account access
Need to control key rotation period
Specific compliance requirements

AWS Managed Keys

KMS keys that AWS services automatically create and manage.

AWS Service (S3, EBS, RDS, etc.)
   │
   └── aws/<service-name> key auto-created
       │
       ├── alias/aws/s3
       ├── alias/aws/ebs
       ├── alias/aws/rds
       └── ...

Feature	Description
Identifier	`alias/aws/<service>` format (e.g., `aws/s3`)
Control Level	Read-only, cannot modify/delete
Rotation	Automatic annually (~365 days)
Cost	No monthly fee, API request cost only
CloudTrail	All usage auditable

When Suitable:

Want to avoid key management overhead
Only need basic encryption
Want to minimize cost

Exam Tip

Note: Since 2021, new AWS services use AWS Owned Keys by default instead of AWS Managed Keys. Existing services (S3, EBS, etc.) still use AWS Managed Keys.

AWS Owned Keys

Keys that AWS internally owns and manages.

Feature	Description
Location	Does not exist in customer account
Control Level	Customer cannot manage
Visibility	Cannot see key policy or CloudTrail logs
Cost	Completely free

When Suitable:

Convenience is top priority
Want to completely eliminate cost
Don't need audit logs

Key Policy

What is a Key Policy?

A key policy is a resource policy for a KMS key, and is required for all KMS keys.

┌─────────────────────────────────────────────────────────────┐
│                    KMS Key Access Control                    │
│                                                             │
│   ┌─────────────────┐                                       │
│   │   Key Policy    │ ◀── Required! Mandatory for all keys │
│   │                 │                                       │
│   └────────┬────────┘                                       │
│            │                                                │
│            ▼                                                │
│   ┌─────────────────┐    ┌─────────────────┐               │
│   │   IAM Policy    │    │     Grants      │               │
│   │                 │    │                 │               │
│   └─────────────────┘    └─────────────────┘               │
│         ▲                        ▲                         │
│         │                        │                         │
│         └── Must be enabled in key policy to work ──┘      │
└─────────────────────────────────────────────────────────────┘

Key Policy vs IAM Policy

Comparison	Key Policy	IAM Policy
Required	Yes	Optional
Scope	Regional	Global
Target	Single KMS key	Multiple KMS keys
Priority	Higher	Dependent on key policy

Exam Tip

Must Know for Exam: If not explicitly allowed in key policy, IAM policy cannot grant KMS key access either! IAM policy only works when key policy enables its use.

Default Key Policy

Keys created in the AWS KMS console automatically include a default key policy.

{
  "Version": "2012-10-17",
  "Id": "key-default-1",
  "Statement": [
    {
      "Sid": "Enable IAM policies",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111122223333:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    }
  ]
}

What this policy means:

Account root user gets all KMS permissions
IAM policy usage enabled (can delegate permissions via IAM policy)

Key Policy Examples

Grant Encrypt/Decrypt to Specific User

{
  "Sid": "Allow encryption and decryption",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::111122223333:user/ExampleUser"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:GenerateDataKey"
  ],
  "Resource": "*"
}

Allow Cross-Account Access

{
  "Sid": "Allow cross-account access",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::444455556666:root"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

Allow AWS Service Usage

{
  "Sid": "Allow S3 service",
  "Effect": "Allow",
  "Principal": {
    "Service": "s3.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "kms:CallerAccount": "111122223333"
    }
  }
}

Key Rotation

Automatic Key Rotation

You can enable automatic key rotation for Customer Managed Keys.

Before enabling:
┌─────────────────┐
│   KMS Key ARN   │───▶ HBK-1 (original backing key)
└─────────────────┘

After 1 year (auto rotation):
┌─────────────────┐     ┌─────────────────────────────┐
│   KMS Key ARN   │───▶ │ HBK-2 (new) - for encryption│
│   (same ARN)    │     │ HBK-1 (old) - decrypt only  │
└─────────────────┘     └─────────────────────────────┘

Key Type	Auto Rotation
Customer Managed (symmetric)	Optional (default disabled)
Customer Managed (asymmetric)	Not supported
AWS Managed Key	Automatic (1-year cycle)
AWS Owned Key	Varies by AWS service

Benefits of Key Rotation

✅ Key ARN, key ID, alias unchanged
✅ No application code changes needed
✅ Data encrypted with previous keys still decryptable
✅ Rotation history viewable in CloudTrail

Manual Key Rotation

Manual rotation involves creating a new KMS key and changing the alias to point to the new key.

Before manual rotation:
alias/my-app-key ───▶ key-1234abcd (old key)

After manual rotation:
alias/my-app-key ───▶ key-5678efgh (new key)
key-1234abcd (old key retained - for decrypting existing data)

When Manual Rotation is Needed:

Asymmetric KMS keys
HMAC KMS keys
Rotation period other than 1 year

Using KMS Keys in IAM Policies

IAM Policy Writing Rules

When specifying KMS keys in IAM policies, use the key ARN.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
    }
  ]
}

Important:

Key ID, alias name, alias ARN cannot be used in IAM policies
Must use key ARN

Actions Requiring Wildcard Resource

Some KMS actions cannot specify a specific KMS key and require "Resource": "*":

{
  "Effect": "Allow",
  "Action": [
    "kms:CreateKey",
    "kms:ListKeys",
    "kms:ListAliases",
    "kms:CreateAlias"
  ],
  "Resource": "*"
}

Cost Optimization

KMS Cost Structure

Item	Customer Managed Key	AWS Managed Key
Monthly Key Fee	$1/key	Free
API Request Cost	$0.03/10,000 requests	$0.03/10,000 requests

Cost Reduction Methods

Use AWS Managed Keys
- If key policy modification not needed, use AWS Managed Keys
- Saves monthly key fee
Delete Unnecessary Keys
- Schedule deletion of unused Customer Managed Keys
- Deleted after 7-30 day wait period
Enable S3 Bucket Keys
- When using SSE-KMS with S3, bucket keys reduce API calls by up to 99%

SAA-C03 Exam Focus Points

Common Question Types

When Key Policy Modification is Needed
- Answer: Customer Managed Key
- AWS Managed Keys cannot modify key policy
Cross-Account KMS Key Sharing
- Answer: Customer Managed Key + add other account to key policy
- AWS Managed Keys cannot be shared cross-account
Relationship Between IAM Policy and Key Policy
- Answer: Key policy must enable IAM policy usage
- Key policy takes priority, IAM policy is dependent
Encryption at Minimum Cost
- Answer: AWS Managed Key or AWS Owned Key
- Customer Managed Keys cost $1/key/month

Exam Tip

Sample Exam Question: "A company encrypts S3 bucket data and needs to allow access from another AWS account. What type of KMS key should be used?"

→ Answer: Customer Managed Key (cross-account access only possible with Customer Managed Keys)

Key Memorization Points

Keyword	Association
Key policy modification	Customer Managed Key
Cross-account	Customer Managed Key
Auto rotation (1 year)	AWS Managed Key
CloudTrail audit	Customer Managed / AWS Managed
Monthly cost	Customer Managed Key only $1/key
IAM policy key specification	Key ARN only
Key policy priority	Key policy > IAM policy

FAQ

Q1: Should I choose Customer Managed Key or AWS Managed Key?

A: In most cases, AWS Managed Keys are sufficient. Choose Customer Managed Keys only when:

You need to modify key policies directly
You need to share keys with other AWS accounts
You need to control key rotation period

Q2: Can I access KMS keys with just an IAM policy?

A: No, the key policy must first enable IAM policy usage. Default key policies include this setting, but check if you've modified the key policy.

Q3: What happens to previous data after key rotation?

A: Previous backing keys (HBK) are retained so previous data remains decryptable. Key ARN and key ID don't change, so no application modification needed.

Q4: Can I delete AWS Managed Keys?

A: No, AWS Managed Keys cannot be deleted. Only Customer Managed Keys can be scheduled for deletion (deleted after 7-30 day wait period).

Q5: How can I reduce KMS key usage costs?

Use AWS Managed Keys (no monthly key fee)
Enable bucket keys in S3 (up to 99% API call reduction)
Delete unnecessary Customer Managed Keys

Summary

The key to AWS KMS key management is selecting the right key type for your requirements:

Basic encryption, minimum cost: AWS Managed Key or AWS Owned Key
Key control, cross-account: Customer Managed Key
Audit needed: Customer Managed Key or AWS Managed Key

SAA-C03 exam frequently tests relationship between key policy and IAM policy and differences between key types. When "key policy modification needed" or "cross-account access" appears, choose Customer Managed Key.