KMS Key rotation


Once KMS key rotation is enabled to 1 year rotation (as example, the key was created 13 months back), when would the CMKs be rotated ? Would it be one year once it was enabled or one year after the key was created ?

asked 8 years ago598 views
1 Answer
Accepted Answer

It would be one year after it was enabled.

When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK's older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK.

Key rotation changes only the CMK's backing key, which is the cryptographic material that is used in encryption operations. The CMK is the same logical resource, regardless of whether or how many times its backing key changes. The properties of the CMK do not change, as shown in the following image.

More details can be found at the documentation page below :

answered 8 years ago
profile picture
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions