====== Customer Managed Key (CMK) ======

**What it is:** A KMS key that you create and manage (policies, access, rotation settings).

**What it’s for:**
  * Stronger control over who can encrypt/decrypt.
  * Central key governance for compliance and auditing.
  * Cross-account key usage (via key policy + IAM).

**Key ideas:**
  * CMK gives you control of:
    * [[aws:security:kms:key-policy|Key Policy]]
    * who can use/admin the key
    * (optional) rotation settings (depending on key type)
  * Many AWS services can use CMK for encryption (S3 SSE-KMS, EBS, RDS, etc.).

**Exam cues:**
  * “must control key access via policy” → use CMK.
  * “need audit of decrypt usage” → KMS + CMK.

**Hard words (English + IPA + Vietnamese meaning):**
  * *governance* /ˈɡʌvərnəns/: quản trị (quy tắc/kiểm soát)
  * *compliance* /kəmˈplaɪəns/: tuân thủ
  * *auditing* /ˈɔːdɪtɪŋ/: kiểm toán