KMS

KMS is AWS's hardware-security-module-backed key management service. Robnu uses KMS to hold the master key that seals every per-seller DEK.

The advantage of KMS is two-fold: the master key never leaves the HSM (Robnu can't accidentally leak it), and every unseal operation is logged in CloudTrail (we can audit who decrypted what, when).

For sellers who care about compliance posture (DPDP, SOC 2 in future): KMS is the gold-standard primitive for credential storage. Robnu treats marketplace tokens with the same architecture a payments processor would treat card data.