(Source: I am a current high level employee at a third party AWS consulting company and former employee at AWS working in the Professional Services department)
I actually was imprecise with my wording.
A customer managed KMS key is any key that you make instead of using an AWS provided key. AWS still has the means to theoretically decrypt the data.
I am actually referring to a customer managed KMS key where you import your own key material
I don’t know how far “AWS doesn’t have access to your keys go” when it comes to a government subpoena.
I do know that if anyone accesses anything on your account from AWS, all sorts of internal alarm bells go off at AWS and it would still show up in your CloudTrail logs.
I’m sure there is something that allows internal AWS employees to access your account in unauthorized ways. But I never heard about it in 3.5 years working there in the Professional Services department.
Not an AWS expert but how does that even work? Does AWS connect to your HSM remotely? Or is a cloud HSM that's also hosted by AWS?