Certified Security - Specialty

Sign Up Free or Log In to participate!

What’s the difference between default KMS master key (aws/s3) vs. user created KMS key (NOT importing key material from external source)

What’s the difference between default KMS master key like aws/s3, vs user created CMK? Like Ryan created in his video. Pls note, I’m NOT asking importing key material from external source; that’s different. But, default CMK vs user created.

3 Answers

You have control over CMK such as enable, disable, schedule deletion, assign to users to administrate or encrypt/decrypt data.
With default aws/s3 you can still encrypt/decrypt your s3 data but you dont have the granular control on the key as you would with CMK

That’s right. I was interested to find out if there’s any difference from user’s experience point of view. To me, it would be same; it doesn’t matter who (what user/ group/role) encrypted the object as long as that user has the rights to encrypt the object. Correct?



Each AWS service has a pre-assigned default KMS key per account per region. All objects for that service will be encrypted with the same key. CMK gives you the ability to use different keys for encrypting differing objects for the same service and of course control access and administration to each CMK.

From a user perspective, if an object was encrypted with a default KMS then any user who has access to the service through IAM roles or policies will eventually be able to decrypt and read encrypted objects regardless of which user encrypted them. when a CMK is used to encrypt and object only users who are granted explicit permission on that CMK  an decrypt and read the object, having read access to the object is not enough n that case.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?