How can we audit or track who used or accessed keys in AWS KMS?

Can we integrate AWS KMS with on-premise applications, or is it only cloud-based?

Are there any performance impacts when using encryption in AWS services (like S3, EBS, or RDS)?

In asymmetric encryption, how does AWS ensure private keys remain secure if only the public key is widely shared?

What are the main disadvantages of using a single key (symmetric encryption), and how can they be minimized?