1 Answers
I haven’t seen that lecture, but when you upload your own KMS CMK origin material, you are uploading an AES-256 key that you generated. KMS, at its core, is using symmetric cryptography so there is no PKI public/private pair. To get the key into AWS securely though, AWS will issue you a public key to encrypt the AES-256 key you generated, so that they (who hold that private key) are the only ones who can decrypt the actual AES-256 key protecting its value during transit. The public/private key pair used for that transaction is essentially irrelevant after import into the KMS service.