In the context of KMS CMK (Key Management Service Customer Master Key), compare customer-managed CMK to AWS-managed CMK.

For typical use cases, AWS-managed CMK is sufficient. Customer-managed CMK allows more fine-grained control over the creation, rotation, deletion, and usage of the key. For example, a customer-managed CMK can be imported into AWS by the customer, or the customer can choose to let KMS generate the key. A customer-managed CMK is sometimes needed due to compliance requirements. (If the requirements are particularly stringent, you may need to attach CloudHSM to KMS.)