Changing the encryption key of a secret in AWS Secrets manager

0

When i am trying to change the encryption key of secret in AWS console. It is showing me a checkbox which says click the checkbox to create a new version of secret it is saying. If I uncheck the checkbox it will just change the encryption key but not the existing secret value is my understanding correct?

질문됨 5달 전237회 조회
2개 답변
0

Hello,

A new version of the secret will be created and encrypted with the new key. Only the new key can decrypt this new version when a check box is ticked.

when checkbox is unticked, The existing version will be re-encrypted with the new key, but can still be decrypted with both the old and new keys.

Reference:

Change the encryption key for an AWS Secrets Manager secret

profile picture
전문가
답변함 5달 전
profile pictureAWS
전문가
검토됨 5달 전
  • Note that there isn't just one "existing version" that is affected. It's the versions with the labels AWSCURRENT, AWSPENDING, and AWSPREVIOUS that are affected. The difference is between whether a new AWSCURRENT is created exclusively accessible with the new key, or the existing AWSCURRENT is kept and encrypted both with the old key and the new key.

0

If you're wanting the current content of the secret value to be retained, that will happen regardless of that checkbox. The current secret value will be stored encrypted with the new KMS key.

It appears there's the distinction that if you check the box, a new version will be created and labelled as AWSCURRENT, while with the checkbox unchecked, a new version will not be created but only the AWSCURRENT, AWSPENDING, and AWSPREVIOUS versions will be re-encrypted with the new key.

전문가
답변함 5달 전
profile picture
전문가
검토됨 5달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠