It uses the GenerateDataKey API against a single master key.

At the client side, yes, could send an SNS notification, or otherwise go indirectly via a Lambda.

Or, alternatively, stream CloudTrail logs through Lambda to achieve a similar result.

There's a few different revocation options:

* `grant-computer` creates a KMS grant as per http://docs.aws.amazon.com/kms/latest/developerguide/grants.... . `revoke-computer` removes the grant without touching the keys.

* The AWS access keys for the IAM user the tool uses, which can be rotated, revoked, recreated, etc...

* The per-disk encryption key, which can be deleted from DynamoDB

* The KMS CMK, which can be deleted, disabled, etc...

I mainly wanted to solve having to plug in a keyboard and type something in, or having a key on a USB stick and be diligent enough to take it out of the home.

Once secret data, especially potentially valuable but small data, is shared beyond one's own control, never assume it can be or has been deleted. In fact, one should probably assume the opposite. Has it been saved? Probably not, but it could easily be. Carefully evaluate your threat model, the risk might be small enough to be acceptable, but always exercise great care in saying "but it can be/has been forgotten".

Yeah, that's a pretty big deal. Costs add up quickly on S3 even with Glacier.

But I agree, often AWS is better for your lab than a home server, particularly if what you need to test is clustering.

Also, Elastic Filestore over a VPN connection is not a particularly great experience ;)