I think customer managed keys are often misunderstood. They aren't innately more secure than cloud provider managed keys from the cloud provider. They just give the customer the ability to manage the key lifecycle. Key generation, rotation, revocation. This is still a useful capability.
Indeed. I'm unsure whether this misunderstanding is "nurtured" or is simply "wishful thinking". Unfortunately, I heard too often CMEK being seen as "the holy grail" of processing data safely on untrusted cloud providers.
Yes, I encounter that attitude too quite frequently.
If you need to manage the keys in to particular schedules or policies, it's obviously what you want. That might be more secure in some ways than leaving it to the cloud provider, depending on what you actually do with the capability. But many people just stop at CMEK Is More Secure...
