What’s the difference between default KMS master key like aws/s3, vs user created CMK? Like Ryan created in his video. Pls note, I’m NOT asking importing key material from external source; that’s different. But, default CMK vs user created.
You have control over CMK such as enable, disable, schedule deletion, assign to users to administrate or encrypt/decrypt data.
With default aws/s3 you can still encrypt/decrypt your s3 data but you dont have the granular control on the key as you would with CMK
That’s right. I was interested to find out if there’s any difference from user’s experience point of view. To me, it would be same; it doesn’t matter who (what user/ group/role) encrypted the object as long as that user has the rights to encrypt the object. Correct?
Each AWS service has a pre-assigned default KMS key per account per region. All objects for that service will be encrypted with the same key. CMK gives you the ability to use different keys for encrypting differing objects for the same service and of course control access and administration to each CMK.
From a user perspective, if an object was encrypted with a default KMS then any user who has access to the service through IAM roles or policies will eventually be able to decrypt and read encrypted objects regardless of which user encrypted them. when a CMK is used to encrypt and object only users who are granted explicit permission on that CMK an decrypt and read the object, having read access to the object is not enough n that case.