Why use a CMK on AWS ( a CMEK on GCP) at all, when the Cloud Provider managed keys will perform the same task?

That's a question a lot of my customers (development teams of customers) have asked me.

The answer is simple. More control.

Across AWS Accounts and Across Projects (GCP)

What if you had an S3 storage bucket in account A and another one in account B, that you wanted to use the same encryption key on?

The same applies to a cloud storage bucket in project A and Project B on GCP.

A CMK would be the only way to accomplish this on AWS. A CMEK on GCP.

More control over the Lifecycle

While the CMK can be set to auto rotate, you can also set it to NOT auto rotate. Which would give you more control over how long that key lives on for.

Summary

It is a mistake to assume that AWS managed keys or GCP managed keys are the best option for encrypting your workloads. CMKs (which are also, in a sense cloud managed, but with more customer input), are a very useful tool for the use cases outlined above.



Need an experienced Cloud Security Expert? 
Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.