Each cloud service provider (e.g., AWS, Azure, GCP) has their own key management service (KMS) as a convenience for their customers. A cloud service provider’s encryption and key management services are cloud-specific and require the cloud administrator to learn the vocabulary and quirks of each cloud vendor they are using.
A cloud vendor derives data encryption keys internally, from key material the KMS originated, or the cloud vendor can derive the key material from an external source -- BYOK or HYOK keys.
To achieve separation of duty, data sovereignty laws and regulatory requirements require the use of BYOK or HYOK keys in certain circumstances.
Using an external KMS enables you to choose a cloud-independent service that can increase efficiency for your cloud native keys. Using the right external KMS can also increase operational resiliency across vendors in the cloud and on premises, and provide BYOK and HYOK keys so that you remain in compliance with data sovereignty laws and regulatory requirements.