I know we can select a KMS (customer or AWS managed) key when creating our RDS database.
However I find the documentation quite vague about the different processes so I've got the following questions:
Does it mean that only one datakey will be used for the whole database
The documentation really doesn't specify any details. Based on the aws best practices and other documentation I'd assume the data key is cached and reused for certain time and then regenerated.
However the details are not publicly available. All the storage encryption is hidden under the hood and not visible to the client
How often does RDS need to make an API call against KMS to decrypt the encrypted version of the data key it keeps ?
AWS KMS calls are logged in the CloudTrail and you will see the calls on the bill as well. At least for the CMK (I'm not sure how is it for the default service KMS).