Exactly what benefit do you get from using an external CMK?
1 Answers
In the KMS documentation I found this
"
When you use imported key material, you remain responsible for the key material while allowing AWS KMS to use a copy of it. You might choose to do this for one or more of the following reasons:
To prove that you generated the key material using a source of entropy that meets your requirements.
To use key material from your own infrastructure with AWS services, and to use AWS KMS to manage the lifecycle of that key material within AWS.
To set an expiration time for the key material in AWS and to manually delete it, but to also make it available again in the future. In contrast, scheduling key deletion requires a waiting period of 7 to 30 days, after which you cannot recover the deleted CMK.
To own the original copy of the key material, and to keep it outside of AWS for additional durability and disaster recovery during the complete lifecycle of the key material.
"
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
It’s actually explained in the next lecture "KMS Part 4" @3:32