We wish to enable KMS encryption at rest for our RDS instances, along with automatic (or manual) key rotation. When creating the RDS with CloudFormation, if you provide a KMS key alias it immediately resolves to the underlying key. If the key alias then points to a different key, the RDS instance will not be correctly rotated. As the KmsKeyId parameter is one that requires replacement, it is impossible to rotate KMS keys for RDS at all as long as it is managed by CloudFormation.
I have found this open issue of someone having a similar issue: https://github.com/aws-cloudformation/cloudformation-coverage-roadmap/issues/1307
Is there a recommended way to enable KMS key rotation for RDS instances created by CloudFormation?