What it is: Two common ownership models for KMS keys.

What it’s for: Choose the right control level for encryption.

AWS-managed key:

• Created and managed by AWS for an AWS service.
• Simpler, less control.

Customer-managed key (CMK):

• You create and manage key settings and policies.
• More control over access, rotation, and auditing.

Exam cues:

• “must control who can use the key” → Customer-managed key.
• “simplest encryption option” → AWS-managed key (often acceptable).

Hard words:

• *ownership* /ˈoʊnərʃɪp/: quyền sở hữu
• *rotation* /roʊˈteɪʃn/: xoay vòng khóa
• *control level* /kənˈtroʊl ˈlevl/: mức độ kiểm soát