What is AWS KMS and encryption?

AWS Key Management Service (KMS) is a managed service for creating and controlling cryptographic keys used to protect data. Integrates with 100+ AWS services. Key types: AWS Managed Keys — created and managed by AWS for specific services (aws/s3, aws/rds); Customer Managed Keys (CMK) — you create and manage, full control over policies; AWS Owned Keys — AWS manages internally, no customer visibility. Key material: AWS KMS generated (default); imported (bring your own key — BYOK); AWS CloudHSM generated. Encryption at rest (envelope encryption): KMS generates a data key → encrypt data with data key → encrypt data key with KMS CMK (DEK is encrypted, stored with data). Decrypt: KMS decrypts the DEK → use DEK to decrypt data. Only the CMK stays in KMS — data keys never stored in plaintext. Encryption in transit: TLS/SSL handled by individual services. KMS in practice: S3 SSE-KMS (server-side encryption with KMS key per object), RDS encryption (all storage, backups, snapshots encrypted), EBS encryption, Secrets Manager (encrypted by KMS). Key policy: resource-based policy on each CMK — defines who can use and manage. Key rotation: automatic annual rotation (CMK material rotated, old material retained for decryption). Multi-region keys: same key ID and material replicated across regions — decrypt in different region than where data was encrypted. Asymmetric keys: RSA/ECC key pairs for sign/verify and public key encryption. Price: $1/month per CMK + $0.03 per 10K API calls.