This week covered the first pillar of data protection: encryption and key management. KMS key types and dual permission models (Day 1), envelope encryption with data keys and encryption contexts (Day 2), key policies, grants, cross-account, and ViaService (Day 3), transit/at-rest encryption and key rotation (Day 4). Today we integrate these into one decision framework. Exams ask less about fragments and more about "for this data protection requirement, which key, which permission, and which encryption location do I choose?" The core framework is key control level × permission mechanism × encryption location (transit/rest/layer) in three dimensions.