This section discusses about the customer-managed CMKs and adding permissions to it.

The primary resources in the AWS key management service are Customer Master Keys (CMK)s. Customer-managed CMKs are CMKs the user creates, manages, and uses. It is in contrast with AWS-managed CMKs, which are created, managed, and used on the user’s behalf by an AWS service that is integrated with AWS KMS.

This includes enabling and disabling the CMK, rotating its cryptographic material, and establishing the IAM policies and key policies that govern access to the CMK, and also using the CMK in cryptographic operations.

SSE of an SQS queue is done using a customer managed CMK, and an SNS topic must be able to make use of that encryption key to encrypt/decrypt a message that it wants to send to the queue. For this, the encryption key’s policy must be modified to allow SNS service to work with it.