[manigandham]

What do you mean? Envelope encryption is a standard security model and can use locally generated keys. They just need to be stored with the data but that can be anywhere.

The master key(s) are what KMS is used for and it's better to have AWS handle that then do it yourself considering the effort and control involved.

[tgragnato]

One could be free from a strong dependency over AWS, but this doesn't seem to be the actual case. The SPOF is Amazon:

> This concern could be mitigated by encrypting the TMK with multiple region keys, and including the appropriate CMKID with each record. Impacts of this approach would be an increase in record write latency.

Multiple regions are a nice thing to have, but it's not real redundancy. Using a key management cloud service doesn't mean someone should be trusting AWS only.

[manigandham]

This topic is about security though, not high-availability. KMS comes with an SLA but anyone is free to use multiple KMS API's, although it just increases the amount of key material and encrypted data to manage by N providers used.