- Newest
- Most votes
- Most comments
Hello,
A new version of the secret will be created and encrypted with the new key. Only the new key can decrypt this new version when a check box is ticked.
when checkbox is unticked, The existing version will be re-encrypted with the new key, but can still be decrypted with both the old and new keys.
Reference:
If you're wanting the current content of the secret value to be retained, that will happen regardless of that checkbox. The current secret value will be stored encrypted with the new KMS key.
It appears there's the distinction that if you check the box, a new version will be created and labelled as AWSCURRENT, while with the checkbox unchecked, a new version will not be created but only the AWSCURRENT, AWSPENDING, and AWSPREVIOUS versions will be re-encrypted with the new key.
Relevant content
- asked 2 years ago
- asked 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 15 days ago
- AWS OFFICIALUpdated a year ago
Note that there isn't just one "existing version" that is affected. It's the versions with the labels AWSCURRENT, AWSPENDING, and AWSPREVIOUS that are affected. The difference is between whether a new AWSCURRENT is created exclusively accessible with the new key, or the existing AWSCURRENT is kept and encrypted both with the old key and the new key.