I've seen that there are number of different encryption key management services out there to choose from, and, of course, each CSP provides their own key management services as well.
If I'm building a cloud based application from the scratch, is there any reason that I'd want to use a different encryption key management solution besides AWS KMS? Is the reason people do this, largely to integrate with on-prem/legacy tools? Is it cost that drives people to use a 3rd party tools? Or are there other the security related features and functionality that a 3rd party provides that AWS does not?
If there IS a good reason to use a 3rd party, do you have any 3rd party recommendations?
I ask these questions, because my app will be making heavy use of encryption and encryption keys and I want to make sure that I'm using the best tools for the job.
Also, I know this question is a little general, so thanks in advance for your response.
Some potential good reasons:
AWS and other CSPs offer their own, but they allow the use of 3rd-party solutions too primarily for flexibility so that if a customer has requirements that mandate the use of a particular key management solution, they can still otherwise use AWS while continuing to meet their particular encryption tool/source requirements. One example would be if a government contract mandated a particular encryption solution be used. An AWS blog mentions
For customers already encrypting data on-premise, using an on-premises hardware security module (HSM) allows you to move existing encrypted data directly into the cloud with little effort and continue using your existing compliance processes.
So it may makes sense to use something else if you've already bought something else or already have something else in place. But if you don't have such requirements or preconditions, you are likely better off to just use AWS and a cloud-native approach. Its encryption capabilities are high quality and offer many features. No doubt the competing encryption key management vendors will tout their own capabilities as they compete for business, so at that point it really becomes an opinionated consideration.
Other observations/opinions exist in this article.