====== KMS (Key Management Service) ======

**What it is:** A service to create, manage, and control access to encryption keys.

**What it’s for:**
  * Encrypt data in AWS services (S3, EBS, RDS, DynamoDB, etc.).
  * Control who can use keys to encrypt/decrypt.
  * Audit key usage.

**Key ideas:**
  * KMS keys are **regional** (a key lives in one Region).
  * Two main types of keys (common in exams):
    * [[aws:security:kms:aws-managed-vs-customer-managed|AWS-managed keys vs Customer-managed keys]]
  * Access is controlled by:
    * [[aws:security:kms:key-policy|Key Policy]]
    * IAM policies (for the caller)

**Exam cues:**
  * “encrypt S3 objects with customer control” → SSE-KMS + customer-managed key.
  * “control who can decrypt” → KMS + key policy.
  * “encrypt large files but centrally control decryption” → [[envelope-encrytion|Envelope Encryption]] + KMS data keys

**Hard words:**
  * *encryption* /ɪnˈkrɪpʃən/: mã hóa
  * *decrypt* /ˌdiːˈkrɪpt/: giải mã
  * *audit* /ˈɔːdɪt/: kiểm toán/ghi nhận
  * *regional* /ˈriːdʒənl/: theo Region