KMS is for Encryption at rest and Key Import is for Encryption in transit. Is this a right statement?
1 Answers
Encryption-at-rest can be provided AWS with SSE-S3 (also known as AES-256). It can also be provided by SSE-KMS (also called AWS-KMS). This protects files or objects on S3, Redshift, RDS, EBS volumes, etc.
Encryption-at-rest can be provided by either Client-Side or Server-Side encryption. Server-side can be managed by AWS SSE-S3 or SSE-KMS. For KMS, you can either have the key made and managed fully by AWS, or you can import the key material to have more control of your key’s privacy. This is a Customer-Managed Key (CMK). You cannot import a key into KMS, you are just importing the key material so that AWS KMS can make the key.
You can import and export keys with CloudHSM.
You can import your public key for EC2 instances, but these keys cannot be used by services such as S3, and RDS. For this you need to look to KMS or CloudHSM.
Encryption-in-transit is used to encrypt data in movement (for example, between EC2 and S3) by using SSL, or it has to be encrypted in advnace at the client-side before being moved. (See https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html)
One additional suggestion on how to think about key pairs and EC2 instances: They all about access to the servers, not about encrypting any data at rest.