Plus you can engage in some jurisdiction arbitrage where all the documents pertaining to country A is stored in country B, and all the documents pertaining to country B is stored in country A.

> Second are they really going to raid and take the drives at an AWS data center that has other customer’s information?

You can also ask AWS to produce the files/documents for you.

Not an AWS expert but how does that even work? Does AWS connect to your HSM remotely? Or is a cloud HSM that's also hosted by AWS?

I actually was imprecise with my wording.

A customer managed KMS key is any key that you make instead of using an AWS provided key. AWS still has the means to theoretically decrypt the data.

I am actually referring to a customer managed KMS key where you import your own key material

https://docs.aws.amazon.com/kms/latest/developerguide/import...

There is also CloudHSM

https://aws.amazon.com/cloudhsm/faqs/#:~:text=AWS%20CloudHSM....

I don’t know how far “AWS doesn’t have access to your keys go” when it comes to a government subpoena.

I do know that if anyone accesses anything on your account from AWS, all sorts of internal alarm bells go off at AWS and it would still show up in your CloudTrail logs.

I’m sure there is something that allows internal AWS employees to access your account in unauthorized ways. But I never heard about it in 3.5 years working there in the Professional Services department.

Raiding AWS: call Amazon, provide subpoena, Amazon can either give access to the account or provide copies of data. This would only allow access to non-customer encrypted data.

I played with encryption schemes and obfuscation pretty heavily for a long time, but at the end of the day companies operate within the legal frameworks of the countries they reside in. If you don’t cooperate, you could end up in jail anyway.

I think the conclusion I’ve come to is that you have to play by the rules. If you don’t like them, is it really worth falling on the sword for a corporate entity?