====== AWS-managed Keys vs Customer-managed Keys ======

**What it is:** Two common ownership models for KMS keys.

**What it’s for:** Choose the right control level for encryption.

**AWS-managed key:**
  * Created and managed by AWS for an AWS service.
  * Simpler, less control.

**Customer-managed key (CMK):**
  * You create and manage key settings and policies.
  * More control over access, rotation, and auditing.

**Exam cues:**
  * “must control who can use the key” → Customer-managed key.
  * “simplest encryption option” → AWS-managed key (often acceptable).

**Hard words:**
  * *ownership* /ˈoʊnərʃɪp/: quyền sở hữu
  * *rotation* /roʊˈteɪʃn/: xoay vòng khóa
  * *control level* /kənˈtroʊl ˈlevl/: mức độ kiểm soát