Question # 0: AWS console displays AWS managed keys and Customer Managed Keys; it doesn't display AWS owned CMKs as an item in the list. As per documentation, customers cannot view or manage AWS-owned CMKs. However, under AWS managed keys, I see keys that were not created by me either implicitly or explicitly. Particularly I see this key with the alias aws/dynamodb. When I created DynamoDB tables, I used default settings which means, it will use AWS-owned CMKs for encryption at rest. Does this mean, "aws/dynamodb" is an AWS-owned CMK? It is a bit ambiguous. Is there a field in aws kms describe-key that displays the type?
The default option in us-east-1 is AWS owned CMK
Question # 1: Other than rotation policy, ownership, and the cost, is there a fundamental difference in the way AWS-owned CMKs encrypt/decrypt data when compared to AWS-managed CMKs?
Question # 2: As per the documentation, AWS-owned CMK usage is not limited to one particular account, this means there is a possibility that AWS uses the same CMK across multiple different accounts Is this understanding correct?
Question # 3: What services besides DynamoDB use AWS-owned CMKs for encryption at rest? In the picture, I see some more keys, and those are corresponding services that I tried.
Appreciate any help. Thanks in advance.
