Certified Security - Specialty

Sign Up Free or Log In to participate!

Is KMS-generated key material (internal) considered customer or aws managed

If an "aws/s3 is an example of a KMS-AWS managed key, and an imported key is an example of a KMS-Customer managed key, which category would include KMS generated key material (internal)?

2 Answers

AWS KMS has three(3) types of Customer Master Keys (CMKs): Customer managed CMK, AWS managed CMK and AWS owned CMK

When you say "KMS generated key material (internal)?", you may be referring to the AWS owned CMK, But note that it could also fall into the AWS managed CMK type. For example, "aws/s3" also uses key materials generated and managed by AWS.


In most cases, when you use a service’s default encryption (i.e. default SSE-S3(AES256) bucket/object encryption, default DynamoDB table SSE, etc.) for example, these services make use of the AWS owned CMK.

As A Darilay wrote, AWS KMS has 3 types of CMKs: 1. Customer managed, 2. AWS managed and 3. AWS owned.

  • The CMK "aws/s3" is of type 2.

  • A CMK that you create (click on "Create key") with your own imported key material is of type 1.

  • A CMK that you create (click on "Create key") with KMS generated key material is also of type 1.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?