- AWS managed centralized key management service to create, manage and rotate customer master keys (CMKs) for encryption at rest.
- You can create customer-managed Symmetric (single key for both encrypt and decrypt operations) or Asymmetric (public/private key pair for encrypt/decrypt or sign/verify operations) master keys
- You can enable automatic master key rotation once per year. Service keeps the older version of master key to decrypt old encrypted data.