The CMK is fundamental to KMS, and this key will never leave the confines of the KMS service. As we have already seen from earlier in this chapter, CMKs are the keys which are selected within other AWS services as the master key to use for the encryption process.  CMKs are used to generate data encryption keys, both plaintext, and encrypted versions, again, just like we saw during the S3 encryption section. It's these data encryption keys that are sent beyond KMS to other AWS services, but again, to reiterate, the CMK does not leave KMS—it remains secure inside the service.

Two types of CMKs exist. Firstly, CMKs that are created and managed by AWS, such as the (default) aws/rds key we saw earlier when applying encryption to an RDS database. These CMKs are generally created the first time that they are called upon and are used by other AWS services that call upon KMS on their behalf.

Secondly, there are CMKs which are created by us as the customers of AWS, and these CMKs can be created within KMS or imported into KMS by using existing key material that customers might already be using on premises. Customer-generated CMKs provide additional advantages such as being able to implement greater flexibility on the actual key, including key rotation, access control through key policies, disabling, and even deleting the key.