Which type of key is the only supported key type in AWS RDS?

In AWS RDS (Relational Database Service), the only supported key type for encryption at rest is KMS-managed keys. This means that when you enable encryption for your RDS instances, AWS uses the AWS Key Management Service (KMS) to manage the keys that encrypt your data.

KMS-managed keys provide a high level of security by integrating with the AWS ecosystem, allowing you to easily control access permissions, audit key usage, and manage the lifecycle of the keys. By using KMS, you also benefit from the service's built-in redundancy and high availability, as AWS manages the underlying infrastructure.

This key type is designed specifically to work with various AWS services, streamlining the process of encrypting resources across AWS. On the other hand, while customer-managed keys can refer to keys created and managed by the user, they are handled through KMS in the context of RDS. AES-managed keys are not a direct key type supported by AWS, as they are typically used in encryption algorithms rather than as key management entities. Custom encryption keys can imply using keys generated by users; however, they still must be managed through KMS within AWS architectures for integration with RDS. Thus, using KMS-managed keys aligns perfectly with AWS's security