6.3.2. Imported vs. AWS-Generated Key Material

First Principle: KMS can use key material generated by AWS (default) or imported by you. Imported key material gives you control over key generation and the ability to set key expiration — but adds operational complexity and eliminates automatic rotation.

This is new content for the SCS-C03.

AWS-Generated Key Material (Default):

• KMS generates and stores key material in HSMs
• Automatic annual rotation available (new key material, same key ID)
• Cannot be exported — key material never leaves KMS
• Simplest operational model

Imported Key Material:

• You generate key material externally (your own HSM, third-party tool)
• Import into a KMS key using a wrapping key provided by KMS
• Can set an expiration date — key material automatically deleted after expiration
• No automatic rotation — you must manually reimport new key material
• Can delete imported key material on demand (making all encrypted data inaccessible)
• Use case: regulatory requirement to generate keys in your own HSM, or need for key expiration

External Key Stores (XKS):

• KMS keys backed by your own external HSM (outside AWS)
• Key material never enters AWS — KMS proxies encryption/decryption requests to your HSM
• Maximum control at the cost of latency and operational complexity
• Use case: data sovereignty requirements where key material must stay outside AWS

⚠️ Exam Trap: Imported key material does NOT support automatic rotation. If a question mentions both imported keys and automatic rotation, those are incompatible — you must manually rotate imported key material.

Scenario: A government agency requires encryption keys to be generated in their FIPS 140-3 Level 3 certified HSM. They generate key material in their HSM, import it into KMS with a 1-year expiration, and reimport new material annually as manual rotation.

Reflection Question: Why would an organization accept the operational overhead of imported key material or external key stores, and what compliance requirements drive this decision?