[starfallg]

My understanding is that Customer Managed CMK in KMS only means that the customer has control over the key operations - like rotation, key policies, IAM policies, etc. AWS still has actual control over the KMS system and full access to the HSM.

[donor20]

Even under this definition how in the HELL are they "routinely" trawling our production data secured by these keys. I mean, does not one think that is rediculous?

This isn't amazon billing data etc (obviously I expect they analyze that carefully given they bring in billions from billing). To ROUTINELY go through AWS customer production datasets is beyond all reason.

[p0rkbelly]

No. AWS has no access to your material, nor is there a code path where they could get it.

[thoraway1010]

We just had someone claiming to work for amazon who said it was "routine" to "trawl" through CUSTOMER production data.

How are they trawling through all our buckets and databases without codepaths for access?

Again, they aren't talking about amazon data (ie, billing, support inquiries etc). They are talking about customer production data.