It would be one year after it was enabled.
When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK's older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK.
Key rotation changes only the CMK's backing key, which is the cryptographic material that is used in encryption operations. The CMK is the same logical resource, regardless of whether or how many times its backing key changes. The properties of the CMK do not change, as shown in the following image.
More details can be found at the documentation page below :
- asked 2 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- How can I resolve the AWS KMS key policy error "Policy contains a statement with one or more invalid principals"?AWS OFFICIALUpdated 2 years ago
- Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?AWS OFFICIALUpdated a year ago