Control encryption keys
- Setup 2 users, one to manage the keys, but cannot encrypt/decrypt. The other user can encrypt/decrypt but not manage the keys.
- aws kms encrypt
- aws kms decrypt
- aws kms re-encrypt
- aws kms enable-key-rotation
- Encrypt envelope key with a CMK.
- CMK is Customer Master Key
- Keys used in KMS are envelope keys