AWS Key Management Service Best Practices For Encryption

Create and manage cryptographic keys to safeguard your data with AWS KMS. Most AWS data-encrypting services are connected with AWS KMS

In AWS Identity and Access Management, identity-based policies determine user, group, and role permissions. Like IAM policies, AWS KMS policies restrict key access

KMS keys created in your account by AWS services on your behalf are known as AWS managed keys

KMS keys that are owned and managed by an AWS service and can be used across several AWS accounts are known as AWS owned keys

AWS KMS administrative and modification permissions, and no unauthorized principal should have AWS KMS modification permissions listed in an allow statement

Principals are unable to use the AWS Key Management Service decryption actions on any resource as a result

To stop unauthorized users or roles from deleting KMS keys directly through a command or the terminal, implement SCPs in AWS Organizations