re-encrypting my encrypted data with secret manager's lambda function is best practice?

Question

Hi, I am implementing automatically key rotation system at my service, but I don't know this way is BP.
I have requirement such below
1. key have to rotate automatically with secret manager periodly
2. we have to discard data key which reached expired date cause of law, so I have to re-encrypt my encrypted data, if reached expired date.

So, I think if I use secret manager lambda, I can implement completely requirement. And this is better way compared with implement directly at rotate and re-encrypt logic at my own server. But is it Best Practice?

Can I get some reference or template?

I found a reference at Reddit 
https://www.reddit.com/r/aws/comments/11vyy7k/rotate_password_stored_in_a_file_using_aws/

Answer

An example Lambda function in Node.js that re-encrypts data with a new encryption key. This is just an example and you will need to modify it to fit your specific use case. I hope this helps

```
const AWS = require('aws-sdk');
const kms = new AWS.KMS();
const secretsManager = new AWS.SecretsManager();

exports.handler = async (event, context) => {
  // Get the new version of the encryption key from Secrets Manager
  const secret = await secretsManager.getSecretValue({ SecretId: 'my-secret-id' }).promise();
  const encryptionKey = secret.SecretString;
  
  // Re-encrypt the data with the new encryption key
  const plaintext = Buffer.from(event.data, 'base64');
  const encrypted = await kms.encrypt({ KeyId: encryptionKey, Plaintext: plaintext }).promise();
  
  // Return the re-encrypted data
  return { data: encrypted.CiphertextBlob.toString('base64') };
};

```

re-encrypting my encrypted data with secret manager's lambda function is best practice?

Relevant content