In the training video you state that you cannot import your own keys into KMS, in the KMS FAQ (https://aws.amazon.com/kms/faqs/) it states that you can import your own keys into KMS (I not trying to trip you up) just wondering which is correct?
2 Answers
I think there is a vocabulary issue here actually.
KMS allows you to import "key material" into a CMK, thus allowing you to generate the actual encryption keys by whatever means you want, with the level of randomness that you want, etc…
My understanding of Ryan’s comment in the video is that you can’t just take any old existing key in a standard format and import it into KMS (whereas this is possible with CloudHSM).
Based on the commands that are run locally (the openssl parts,) it looks like what you are creating in the first openssl step is just 256 bits (32 bytes) of randomness. Basically the seed that AWS uses to create the actual key. The second openssl step is encrypting the seed (using their public key,) before uploading.