First part: plain information
The private information never comes out of the KMS service. It is described in the FAQ here
KMS FAQs look for "Q: Can symmetric KMS keys be exported out of the service in plain text?"
Second part: rotation
KMS key rotation is optional but recommended.
Rotating a KMS key does not rotate the data keys that the KMS key generated or re-encrypt any data protected by the KMS key, and it will not mitigate the effect of a compromised data key. (Actual mitigation would involve re-encrypting the data with newly acquired data keys).
When you use a rotated KMS key to encrypt data, AWS KMS uses the current key material. When you use the rotated KMS key to decrypt ciphertext, AWS KMS uses the version of the key material that was used to encrypt it. You cannot request a particular version of the key material. Because AWS KMS transparently decrypts with the appropriate key material, you can safely use a rotated KMS key in applications and AWS services without code changes.
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?AWS OFFICIALUpdated a year ago
- EXPERTpublished 3 months ago
- EXPERTpublished 9 months ago