High-level KMS Key builder following AWS security best practices. **Default Security Settings:** - Key rotation = enabled (automatic yearly rotation) - Removal policy = RETAIN (prevents accidental key deletion) - Key spec = SYMMETRIC_DEFAULT (AES-256-GCM) - Key usage = ENCRYPT_DECRYPT **Rationale:** These defaults follow AWS Well-Architected Framework: - Automatic rotation reduces risk of key compromise - Retained keys prevent data loss (encrypted data becomes unreadable without key) - Symmetric encryption is most common use case - CloudTrail provides audit trails for all key usage **Use Cases:** - Encrypt data at rest (S3, EBS, RDS, DynamoDB) - Encrypt secrets (Secrets Manager, Parameter Store) - Sign and verify (asymmetric keys) - Generate HMACs **Escape Hatch:** Access the underlying CDK Key via the `Key` property on the returned resource for advanced scenarios not covered by this builder.