# Key Management
<a name="key-management"></a>

Customers can specify Amazon KMS keys, including bring your own keys (BYOK), to use for envelope encryption with Amazon S3 input/output buckets and machine learning (ML) Amazon EBS volumes. ML volumes for notebook instances and for processing, training, and hosted model Docker containers can be optionally encrypted by using Amazon KMS customer-owned keys. All instance OS volumes are encrypted with an Amazon-managed Amazon KMS key. 

**Note**  
Certain Nitro-based instances include local storage, dependent on the instance type. Local storage volumes are encrypted using a hardware module on the instance. You can't request a `VolumeKmsKeyId` when using an instance type with local storage.  
For a list of instance types that support local instance storage, see [Instance Store Volumes](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/InstanceStorage.html#instance-store-volumes).  
For more information about local instance storage encryption, see [SSD Instance Store Volumes](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/ssd-instance-store.html).  
For more information about storage volumes on nitro-based instances, see [Amazon EBS and NVMe on Linux Instances](https://docs.amazonaws.cn/AWSEC2/latest/UserGuide/nvme-ebs-volumes.html).

For information about Amazon KMS keys see [What is Amazon Key Management Service?](https://docs.amazonaws.cn/kms/latest/developerguide/overview.html) in the *Amazon Key Management Service Developer Guide*.