AWS KMS External Key Store

A custom key store external to AWS is supported by an external key manager under your ownership and management. Your external key manager may take the form of physical or virtual hardware security modules (HSMs) or any hardware-based or software-based system with the ability to generate and utilize cryptographic keys. The encryption and decryption processes involving a KMS key within an external key store are executed by your external key manager, utilizing your cryptographic key material. This capability is referred to as "hold your own keys" (HYOKs).

For more, see Custom key stores and External key stores