Data security is a critical concern for businesses today, and with the increasing reliance on cloud services, managing encryption keys has become an essential part of maintaining a secure environment. In this post, we will explore the difference between Customer Managed Key (CMK) and Amazon Managed Key (AMK) and how they are used in Amazon Web Services (AWS).
What are CMK and AMK?
AWS provides two options for key management – Customer Managed Key (CMK) and Amazon Managed Key (AMK). By default, AWS services use AMK; it’s easy to deploy and manage, and there are no additional costs associated with it. However, some organizations may require more control over their encryption keys, and for that, they can use CMK.
CMK provides an added layer of security as the customer has complete control over the keys. The keys are not visible or accessible to anyone else, and the customer is responsible for managing them. This means that the customer can decide when and how to rotate the keys, who has access to them, and how they are used. However, this comes with an additional cost and requires the customer to have a process and procedure for managing the keys.
From a cryptographic perspective, both CMK and AMK are used to encrypt data and objects in the same way and provide the same level of encryption. The primary difference is who manages the keys and has access to them.
Your monthly dose of “Oh, that’s actually useful.”
No fluff. No sales pitches. Just practical CNAPP insights, real-world remediation strategies, and security lessons from the front lines. Delivered once a month
Let’s take a look at some example AWS services, and how they use CMK and AMK:
RDS – Comparison between CMK and AMK
| Type of KMS key | Can view KMS key metadata? | Can manage KMS key? | Used only for my AWS account | Automatic rotation | Pricing |
| Customer Managed Key (CMK) | Yes | Yes | Yes | Optional. Every year (approx. 365 days) | Monthly Fee
Per-use Fee |
| AWS Managed Key (AMK) | Yes | No | Yes | Required. Every year (approx. 365 days) | No Monthly Fee Per-use Fee (some AWS services pay this fee for you) |
| AWS Owned Key | No | No | No | Varies | No Fee |
The Takeaway
- You can only encrypt an Amazon RDS DB instance when you create it, not after the DB instance is created.
- You can’t change the encryption key used by an Amazon RDS DB instance. However, you can create a copy of the RDS DB instance, and then choose a new encryption key for that copy.
- CMK will cost more than AMK, and require processes and procedures for managing.
