[tgragnato]

One could be free from a strong dependency over AWS, but this doesn't seem to be the actual case. The SPOF is Amazon:

> This concern could be mitigated by encrypting the TMK with multiple region keys, and including the appropriate CMKID with each record. Impacts of this approach would be an increase in record write latency.

Multiple regions are a nice thing to have, but it's not real redundancy. Using a key management cloud service doesn't mean someone should be trusting AWS only.

[manigandham]

This topic is about security though, not high-availability. KMS comes with an SLA but anyone is free to use multiple KMS API's, although it just increases the amount of key material and encrypted data to manage by N providers used.