We can then use the key to encrypt the private key of CA and then upload it in a s3 location
REGION=us-east-2
AWS_ACCOUNT_ID=123456790
KMS_KEY_ID=arn:aws:kms:$REGION:$AWS_ACCOUNT_ID:key/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx
aws kms encrypt \
--key-id $KMS_KEY_ID \
--plaintext fileb:/path/to/ca.key \
--query CiphertextBlob \
--output text > /path/to/encrypted_ca.key