AWS KMS uses envelope encryption whereby a unique data key encrypts customer data, and KMS master keys encrypt data keys. You can bring your key material to AWS KMS and manage user access, key distribution, and rotation from a centralized place. You can also disable unused keys, and a low number of keys helps to improve the performance of the application and encourage better key management.

AWS KMS is designed to limit access and protect master keys. KMS helps you to implement key security best practices by never storing plaintext master keys on disk or in memory. KMS also gracefully rotates the master key to secure it further.

As AWS KMS is a multitenancy key management module, a customer wants to have a dedicated key management module due to compliance. Also, the customer may have an old HSM, and they want to follow the same model. The HSM is single-tenant hardware in AWS and is called AWS CloudHSM. You can choose your own HSM vendor as well. Let's explore HSM in more depth.