AWS KMS External Key Store

A custom key store external to AWS is managed by your external key manager, which can be a physical or virtual hardware security module (HSM) or any hardware or software system capable of generating and managing cryptographic keys.

The encryption and decryption of KMS keys in an external key store are handled by your external key manager using your cryptographic key material. This approach is known as "hold your own keys" (HYOK).

More content

• AWS Custom key stores
• AWS External key stores
• AWS Bring Your Own Key (BYOK)