AWS KMS is a fully managed service, where AWS takes care of underlying infrastructure to support high availability as it is deployed in multiple availability zones within a region, automatic scalability, security, and zero maintenance for the user. This allows the user to focus on the encryption requirement for their workload. AWS KMS provides 99.999999999% durability for your encrypted keys by storing multiple copies of these keys.

AWS KMS gives you centralized control of all of your encryption keys. You can access KMS through the AWS Management Console, CLI, and AWS SDK for creating, importing, and rotating keys. You can also set up usage policies and audit KMS for key usage from any of these options for accessing AWS KMS.

AWS KMS integrates seamlessly with multiple AWS services to enable encryption of data stored in these AWS services such as S3, RDS, EMR, and so on. AWS KMS also integrates with management services, such as AWS CloudTrail, to log usage of each key, every single time it is used for audit purpose. It also integrates with IAM to provide access control.

The AWS KMS is a secure service that ensures your master keys are not shared with anyone else. It uses hardened systems and hardening techniques to protect your unencrypted master keys. KMS keys are never transmitted outside of the AWS regions in which they were created. You can define which users can use keys and have granular permissions for accessing KMS.

The AWS KMS is compliant with many leading regulatory compliance schemes such as PCI-DSS Level 1, SOC1, SOC2, SOC3, ISO 9001, and so on.

The CMK is a primary component of KMS. These keys could be managed either by the customer or by AWS. You would usually need CMKs to protect your data keys (keys used for encrypting data). Each of these keys can be used to protect 4 KB of data directly. These CMKs are always encrypted when they leave AWS. For every AWS service that integrates with AWS KMS, AWS provides a CMK that is managed by AWS. This CMK is unique to your AWS account and region in which it is used.

Data keys are used to encrypt data. This data could be in your application outside of AWS. AWS KMS can be used to generate, encrypt, and decrypt data keys. However, AWS KMS does not store, manage, or track your data keys. These functions should be performed by you in your application.

A key policy is a document that contains permission for accessing CMK. You can decide who can use and manage CMK for all CMK that you create, and you can add this information to the key policy. This key policy can be edited to add, modify, or delete permissions for a customer managed CMK; however, a key policy for an AWS managed CMK cannot be edited.

AWS KMS integrates with AWS CloudTrail to provide an audit trail of your key usage. You can save this trail that is generated as a log file in a S3 bucket. These log files contain information about all AWS KMS API requests made in the AWS Management Console, AWS SDKs, command line tools such as AWS CLI and all requests made through other AWS services that are integrated with AWS KMS. These log files will tell you about KMS operation, the identity of a requester along with the IP address, time of usage, and so on.

You can monitor, control, and investigate your key usage through AWS CloudTrail.

AWS KMS provides a secure KMI as a service to you. While encrypting and decrypting data, it is the responsibility of the KMI provider to keep your keys secure, and AWS KMS helps you keep your keys secure. The KMS is a managed service so you don't have to worry about scaling your infrastructure when your encryption requirement is increasing.