I have created a custom managed symmetric key (for encryption / decryption purposes) in AWS KMS and imported my own key material from an external source.
For symmetric keys, AWS KMS uses the AES-256-GCM algorithm spec.
What I am trying to understand is whether it would be possible to encrypt a message outside of KMS using the same key material with AES-256-GCM spec, and decrypt the ciphertext using AWS KMS?
From my understanding after a number of tries on this matter, it seems like when KMS itself performs an encryption, it adds some additional metadata to the ciphertext which are in return checked/validated at the time of decryption.
And even if we are to use the same "key material" that's already imported to KMS and perform an encryption externally (without using KMS) with AES-256-GCM spec, the cipher decryption from the KMS side fails due to various exceptions such as: version mismatches / invalid algo ID etc.
Note: Maybe the answer is obvious that it might not be possible to achieve what we are trying to do here due to AWS KMS's internals on custom managed symmetric keys... but in that case it'd be much appreciated if some alternatives can be discussed.
