What it is: A KMS key that you create and manage (policies, access, rotation settings).

What it’s for:

• Stronger control over who can encrypt/decrypt.
• Central key governance for compliance and auditing.
• Cross-account key usage (via key policy + IAM).

Key ideas:

• CMK gives you control of:
  • Key Policy
  • who can use/admin the key
  • (optional) rotation settings (depending on key type)
• Many AWS services can use CMK for encryption (S3 SSE-KMS, EBS, RDS, etc.).

Exam cues:

• “must control key access via policy” → use CMK.
• “need audit of decrypt usage” → KMS + CMK.

Hard words (English + IPA + Vietnamese meaning):

• *governance* /ˈɡʌvərnəns/: quản trị (quy tắc/kiểm soát)
• *compliance* /kəmˈplaɪəns/: tuân thủ
• *auditing* /ˈɔːdɪtɪŋ/: kiểm toán