Data security is a critical concern for businesses today, and with the increasing reliance on cloud services, managing encryption keys has become an essential part of maintaining data security. In this blog, we will explore the difference between Customer Managed Key (CMK) and Amazon Managed Key (AMK) and how they are used in Amazon Web Services (AWS).
What are CMK and AMK? AWS provides two options for key management – Customer Managed Key (CMK) and Amazon Managed Key (AMK). By default, AWS services use AMK as it is easy to deploy and manage, and there are no additional costs associated with it. However, some organizations may require more control over their encryption keys, and for that, they can use CMK.
CMK provides an added layer of security as the customer has complete control over the keys. The keys are not visible or accessible to anyone else, and the customer is responsible for managing the keys. This means that the customer can decide when and how to rotate the keys, who has access to them, and how they are used. However, this comes with an additional cost and requires the customer to have a process and procedure for managing the keys.
By default many services will utilize AMK as is free to have, easy to deploy & easy to manage.
CMK provides a bit more security as the customer is in full control of the keys – no one else can see them, access them or manage them in any way. Mature organizations may have their own Key Management System &/or Vault.
From a cryptographic perspective, both CMK and AMK are used to encrypt data and objects in the same way and provide the same level of encryption. The primary difference is who manages the keys and has access to them.
How CMK and AMK are used in AWS services? Let’s take a look at some AWS services and how they use CMK and AMK
RDS – Comparison between CMK and AMK

-
- You can only encrypt an Amazon RDS DB instance when you create it, not after the DB instance is created.
- You can’t change the encryption key used by an Amazon RDS DB instance. However, you can create a copy of the RDS DB instance, and then choose a new encryption key for that copy.
- CMK will cost $$ & require process/procedure for managing
Reference Materials:
https://aws.amazon.com/premiumsupport/knowledge-center/update-encryption-key-rds/
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
https://docs.aws.amazon.com/kms/latest/developerguide/overview.html