What it is: A service to create, manage, and control access to encryption keys.

What it’s for:

• Encrypt data in AWS services (S3, EBS, RDS, DynamoDB, etc.).
• Control who can use keys to encrypt/decrypt.
• Audit key usage.

Key ideas:

• KMS keys are regional (a key lives in one Region).
• Two main types of keys (common in exams):
  • AWS-managed keys vs Customer-managed keys
• Access is controlled by:
  • Key Policy
  • IAM policies (for the caller)

Exam cues:

• “encrypt S3 objects with customer control” → SSE-KMS + customer-managed key.
• “control who can decrypt” → KMS + key policy.
• “encrypt large files but centrally control decryption” → Envelope Encryption + KMS data keys

Hard words:

• *encryption* /ɪnˈkrɪpʃən/: mã hóa
• *decrypt* /ˌdiːˈkrɪpt/: giải mã
• *audit* /ˈɔːdɪt/: kiểm toán/ghi nhận
• *regional* /ˈriːdʒənl/: theo Region