KMS Key rotation
Once KMS key rotation is enabled to 1 year rotation (as example, the key was created 13 months back), when would the CMKs be rotated ? Would it be one year once it was enabled or one year after the key was created ?
- 최신
- 최다 투표
- 가장 많은 댓글
It would be one year after it was enabled.
When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK's older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK.
Key rotation changes only the CMK's backing key, which is the cryptographic material that is used in encryption operations. The CMK is the same logical resource, regardless of whether or how many times its backing key changes. The properties of the CMK do not change, as shown in the following image.
More details can be found at the documentation page below :
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
관련 콘텐츠
- 질문됨 6달 전
