Correct answer - "KMS encrypts and decrypts data using your master keys stored in KMS" : These
are known as customer master keys or CMKs. You can generate CMKs in KMS, in an AWS CloudHSM
cluster, or import them from your own key management infrastructure.
Incorrect:
"KMS receives CMK from the client at every encrypt call, and encrypts the data with that" - You
can import your own CMK (Customer Master Key) but it is done once and then you can
encrypt/decrypt as needed
"KMS sends the CMK to the client, which performs the encryption and then deletes the CMK" - KMS
does not send CMK to the client, KMS decrypts the data
"KMS generates a new CMK for each encrypt call and encrypts the data with it" - KMS does not
generate a new key each time but you can have KMS rotate the keys for you. Best practices
discourage extensive reuse of encryption keys so it is good practice to generate new keys
For more information visit