AWS Key Management Service Best Practices For Encryption
Create and manage cryptographic keys to safeguard your data with AWS KMS. Most AWS data-encrypting services are connected with AWS KMS
In AWS Identity and Access Management, identity-based policies determine user, group, and role permissions. Like IAM policies, AWS KMS policies restrict key access
KMS keys created in your account by AWS services on your behalf are known as AWS managed keys
KMS keys that are owned and managed by an AWS service and can be used across several AWS accounts are known as AWS owned keys
AWS KMS administrative and modification permissions, and no unauthorized principal should have AWS KMS modification permissions listed in an allow statement
Principals are unable to use the AWS Key Management Service decryption actions on any resource as a result
To stop unauthorized users or roles from deleting KMS keys directly through a command or the terminal, implement SCPs in AWS Organizations