AWS KMS Encryption

AWS Key Management Service manages encryption keys. You create Customer Master Keys (CMK), define policies (who can use it), and KMS encrypts/decrypts data on your behalf. You never see the key material — KMS protects it in hardware security modules (optional). Use for: S3 encryption, RDS encryption, EBS snapshots, Secrets Manager, DynamoDB encryption.