🔐
AWS SCS-C01
  • Practice Test Scores
  • Domain 1 - Incident Response
    • Incident Response
    • Exposed AWS Access Keys
    • Compromised EC2 Instance
    • How do you report abuse of AWS resources?
    • GuardDuty
    • Penetration Testing
  • Domain 2 - Logging & Monitoring
    • Some Basics
    • Inspector
    • Security Hub
    • AWS WAF
    • Systems Manager
    • Systems Manager Features
    • CloudWatch Logs
    • Athena
    • CloudTrail
    • Config
    • Trusted Advisor
    • CloudTrail Log File Integrity
    • Macie
    • S3 Event Notifications
    • VPC Flow Logs
    • Centralized Logging Architecture
  • Domain 3 - Infrastructure Security
    • Bastion Hosts
    • Site-to-Site VPN
    • VPC Peering
    • VPC Endpoints
    • Network ACL
    • Firewall vs IPS vs IDS
    • EBS
    • CloudFront
    • Shield
    • Mitigating DDoS Attacks
    • EC2 Key Pair Troubleshooting
    • EC2 Tenancy
    • Artifact
    • Lambda@Edge
    • Simple Email Service (SES)
    • DNS Support in VPC
  • Domain 4 - Identity & Access Management
    • Organizations
    • IAM Policy Evaluation Logic
    • Understanding IAM Policies
    • IAM Tutorial: Delegate access across AWS accounts using IAM roles
    • External ID
    • iptables
    • IAM policy elements: Version
    • IAM policy elements: Variables and tags
    • Policy elements: Principal and NotPrincipal
    • IAM policy elements: Condition
    • Security Token Service (STS)
    • Identity federation in AWS
    • Enabling SAML for your AWS resources
    • Single Sign-On
    • Cognito
    • Directory Service
    • Trusts in Active Directory
    • Example S3 Bucket Policies
    • Cross-account access to S3 buckets using Resource-based policies and IAM policies
    • S3 Access Control Lists (ACLs)
    • Presigned URLs
    • S3 Versioning
    • S3 Cross-Region Replication (CRR)
    • S3 Object Lock
    • Configuring MFA-protected API access
    • IAM Permission Boundaries
  • Domain 5 - Data Protection
  • CloudHSM
  • Key Management Service (KMS)
  • Symmetric CMKs vs Asymmetric CMKs
  • Data Key Caching
  • Deleting KMS CMKs
  • Default KMS Key Policy
  • Managing access to KMS CMKs
  • KMS CMK Key Types
  • Rotating KMS CMKs
  • Example Key Policies for KMS Questions
  • KMS Grants
  • KMS CLI Commands
  • Importing key material in KMS
  • KMS Condition Keys
  • Migrating Encrypted KMS Data Across Regions
  • KMS Encryption Context
  • CloudHSM vs KMS
  • S3 Data Encryption
  • Application Load Balancer (ALB)
  • ELB Listeners Part 1
  • ELB Listeners Part 2
  • AWS Certificate Manager (ACM)
  • Glacier
  • DynamoDB Encryption
  • AWS Secrets Manager
  • Summaries
    • Domain 1
    • Domain 2
    • Domain 3
    • Domain 4
    • Domain 5
Powered by GitBook
On this page
  • How automatic key rotation works
  • Rotating keys manually

Was this helpful?

Rotating KMS CMKs

PreviousKMS CMK Key TypesNextExample Key Policies for KMS Questions

Last updated 4 years ago

Was this helpful?

  • To create new cryptographic material for your KMS CMKs, you can:

    • Create new CMKs, and then change your applications or aliases to use the new CMKs.

    • Enable automatic key rotation for an existing customer managed CMK.

  • When you enable automatic key rotation for a customer managed CMK, KMS generates new cryptographic material for the CMK every year.

  • KMS also saves the CMK's older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted.

  • KMS does not delete any rotated key material until you delete the CMK.

  • Key rotation changes only the CMK's backing key, which is the cryptographic material that is used in encryption operations.

    • The CMK is the same logical resource, regardless of whether or how many times its backing key changes:

Type of CMK?

Can manage CMK?

Used only for one AWS account?

Automatic rotation?

Customer managed CMK

Yes

Yes

Optional. Every 365 days (1 year).

AWS managed CMK

No

Yes

Required. Every 1095 days (3 years).

AWS owned CMK

No

No

Varies

How automatic key rotation works

  • KMS supports optional automatic key rotation only for customer managed CMKs.

  • Backing key management.

    • KMS retains all backing keys for a CMK, even if key rotation is disabled.

    • The backing keys are deleted only when the CMK is deleted.

    • When you use a CMK to encrypt, KMS uses the current backing key.

    • When you use the CMK to decrypt, KMS uses the backing key that was used to encrypt.

  • Enable and disable key rotation.

    • Automatic key rotation is disabled by default on customer managed CMKs.

    • When you enable key rotation, KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter.

  • AWS managed CMKs.

    • You cannot manage key rotation for AWS managed CMKs.

    • KMS automatically rotates them every three years (1095 days).

  • AWS owned CMKs.

    • You cannot manage key rotation for AWS owned CMKs.

    • The key rotation strategy for an AWS owned CMK is determined by the AWS service that creates and manages the CMK.

Rotating keys manually

  • You might want to create a new CMK and use it in place of a current CMK instead of enabling automatic key rotation.

  • The process of replacing one CMK with another is known as manual key rotation.

  • You might prefer to rotate keys manually so you can control the rotation frequency.

  • It's also a good solution for CMKs that are not eligible for automatic key rotation:

    • Asymmetric CMKs.

    • CMKs in custom key stores.

    • CMKs with imported key material.