Why architecture matters here
KMS failures include deleted keys (data lost), throttling under load, and cross-account grant sprawl. Architecture matters because envelope + grants + audit define both cost and safety.
The architecture: every piece explained
The top strip is basics. Application. CMK / KMS key. Envelope encryption via GenerateDataKey. Key policy + grants.
The middle row is variants. Aliases + rotation. Multi-Region keys. CloudHSM. CloudTrail.
The lower rows are ops. Quotas + throttling. Cost. Ops — deletion delay + break-glass + BYOK.
End-to-end flow
End-to-end: app calls GenerateDataKey. Encrypts data with plaintext key locally; stores encrypted data key next to ciphertext. On read, calls Decrypt on data key; decrypts data locally. Rotation issues new CMK version; old ciphertext still readable. Audit trail in CloudTrail.