These CMKs are owned and used by AWS services to encrypt your data. They do not reside within your KMS console or indeed within your account, nor do you have the ability to audit and track their usage. They are essentially abstracted from your AWS account. However, because they can be used by services used within your AWS account, those services do have the capabilities to use those keys to encrypt your data within your account.
They are managed and created by AWS, and so there is no management of these keys required. When it comes to the rotation of AWS-owned CMKs, it is down to the particular service that manages that particular key, and so the rotation period varies from service to service.
Examples of AWS-owned CMKs include the following:
- The encryption used to encrypt all Amazon DynamoDB tables, which are encrypted by default with no option to disable this encryption
- Amazon S3 encryption using the S3 master key (SSE-S3)