Confused about Aliases and Key rotation.

Yes, you are right. S3 does not re-encrypt your data under the new CMK by changing the alias.

When you begin using the new CMK after manual key rotation, you have to keep the original CMK enabled so that AWS KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the same CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, AWS KMS can decrypt any data that was encrypted by either CMK.

Even in the case of automatic key rotation, rotating the CMK has no effect on the data that the CMK protects. It does not rotate the data keys that the CMK generated or re-encrypt any data protected by the CMK.

Thanks very much for your reply.

Yes, that confirms the behaviour with respect to previously encrypted objects - i.e. you must retain the original master keys to maintain access. But can you confirm that updating the original alias to reference a new key has no effect on new objects uploaded into the bucket either? i.e. new objects will also be encrypted using the original key as opposed to the new key. In other words, S3 never really uses the alias - once you select an alias as the default encryption key, S3 associates with the master key, which doesn't change if you update the alias?

Can you tell me how you specified the CMK to use on the bucket? Did you use the CMK ARN or the alias?

see here: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html

Thanks again for your time with this.

So I've tried it two ways - i.e. console and cli. The console allows me to select the alias (see screenshot_1.png). In this case I have an 'external' CMK (i.e. my own imported key mat) with alias = alias/s3encnew. However if I navigate away from the bucket and back in, s3 now shows my default encryption 'resolved' to the keyId of the alias - see screenshot_2.png. If I update the s3encnew alias to refer to a different keyId, the properties of my s3 bucket doesn't change - i.e. it still refers to the original keyId.

With the cli, the command (aws s3api put-bucket-encryption....) only allows specification of a 'KMSMasterKeyID' - i.e. the key Id not the alias. It errors if I try to specify an alias within the --server-side-encryption-configuration json parameter.

Edited by: prys on Mar 19, 2020 1:42 PM

Ok, I think I've got to the bottom of this...

To associate a s3 bucket with an alias, don't select the alias from the S3 default encryption AWS-KMS drop-down list. Instead, select 'Custom KMS Arn' and then paste the arn of the alias you wish to use. Alternatively you can use the arn to specify the alias using the put-bucket-encryption cli command as the argument to the 'KMSMasterKeyID' parameter. Doing it either of these ways retains the S3 reference to the alias, as opposed to the target key specified by the alias.