Changing the encryption key of a secret in AWS Secrets manager

0

When i am trying to change the encryption key of secret in AWS console. It is showing me a checkbox which says click the checkbox to create a new version of secret it is saying. If I uncheck the checkbox it will just change the encryption key but not the existing secret value is my understanding correct?

質問済み 5ヶ月前237ビュー
2回答
0

Hello,

A new version of the secret will be created and encrypted with the new key. Only the new key can decrypt this new version when a check box is ticked.

when checkbox is unticked, The existing version will be re-encrypted with the new key, but can still be decrypted with both the old and new keys.

Reference:

Change the encryption key for an AWS Secrets Manager secret

profile picture
エキスパート
回答済み 5ヶ月前
profile pictureAWS
エキスパート
レビュー済み 5ヶ月前
  • Note that there isn't just one "existing version" that is affected. It's the versions with the labels AWSCURRENT, AWSPENDING, and AWSPREVIOUS that are affected. The difference is between whether a new AWSCURRENT is created exclusively accessible with the new key, or the existing AWSCURRENT is kept and encrypted both with the old key and the new key.

0

If you're wanting the current content of the secret value to be retained, that will happen regardless of that checkbox. The current secret value will be stored encrypted with the new KMS key.

It appears there's the distinction that if you check the box, a new version will be created and labelled as AWSCURRENT, while with the checkbox unchecked, a new version will not be created but only the AWSCURRENT, AWSPENDING, and AWSPREVIOUS versions will be re-encrypted with the new key.

エキスパート
回答済み 5ヶ月前
profile picture
エキスパート
レビュー済み 5ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ