1. Login to the AWS Management Console.

2. Navigate to KMS dashboard.

3. In the left navigation panel, click Encryption Keys.

4. Click Create Key button from the top menu.

5. Enter an alias (name) and a description for the new CMK, then click Next Step.

6. Enter the tag key and tag value for the key

7. Under Key Administrators section, select which IAM users and/or roles can administer the CMK, then click Next Step.

8. Under This Account section, select which IAM users and/or roles can use the CMK to encrypt/decrypt data with the AWS KMS API.

9. (Optional) Under Other AWS Accounts section, click Add an External Account and enter an external account ID in order to add another AWS account that can use this CMK to encrypt/decrypt data. The owners of the external AWS accounts must also provide access to this CMK by creating policies for their IAM users.

10. Click Next Step.

11. Under Preview Key Policy section, click Finish to create your new CMK. Once the key is created, the KMS dashboard will display a confirmation message: “Your master key was created successfully. Alias: MyEBSDataCMK”

12. Now the CMK must be implemented to encrypt/decrypt the EBS volume data. Navigate to EC2 dashboard.

13. Now create or update resources to use new KMS CMK key that is created by you.