AWS KMS is a managed service that makes it easy for you to create and control the cryptographic keys used to encrypt your data.
You can create your own keys or use AWS-managed keys. **Architect Note:** Always use **Customer Managed Keys** for sensitive production data. It gives you full audit trails of exactly who (or what role) used the key to encrypt/decrypt each piece of data.
KMS isn't designed to encrypt massive payloads (like a 1GB file). Instead, you use KMS to encrypt a **Data Key**, and you use that Data Key locally in your C# code to encrypt the large file. This 'Envelope' pattern is how all AWS services work internally.
Q: "Can I use KMS for data at rest on RDS?"
Architect Answer: "YES! When you create an RDS instance or an S3 bucket, you can simply check a box to 'Enable Encryption' using a KMS key. AWS handles all the heavy lifting of transparently encrypting and decrypting data as it is written to and read from the disk. This satisfies 90% of regulatory requirements for 'Encryption at Rest'."