[lvh]

Yep, but depends on your use case.

E.g. "I have an API key and I want it encryptedly available to some servers, and engineers to be able to roll but not read the cred", KMS directly with a CMK is great. Otherwise: that's what the rest of the bulk encryption and key generation recommendations are for; get a DEK, use NaCl's secretbox or whatever.

DEK sharding strategies depend on your data model so that gets a little tricky to provide good advice for in this document but that's something we help clients with, sure :)