By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why AWS KMS CMK key rotation is disabled by default?

0

Hi In AWS KMS for symmetric encryption customer-managed key (CMK) with key material created by AWS KMS, we can enable the automatic key rotation. And according to AWS documentation the automatic key rotation is a best practice. The automatic key rotation is even enabled by default for AWS managed key, without an option to disable it.

If the key rotation is a good security practice:

  • Why does AWS provide an option to disable automatic AWS KMS key rotation for CMK with key material created by AWS KMS?
  • Why is the automatic key rotation option disabled by default when you create AWS KMS CMK with key material created by AWS KMS?
Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
alexx384
asked 6 months ago299 views
1 Answer
0

Hello.

Why does AWS provide an option to disable automatic AWS KMS key rotation for CMK with key material created by AWS KMS?

You may also disable it if you want to manage keys using manual rotation instead of automatic rotation.
If you want to rotate keys more frequently than automatic key rotation, you will need to do it manually.

Why is the automatic key rotation option disabled by default when you create AWS KMS CMK with key material created by AWS KMS?

This is considered to be a measure when there are applications that do not support automatic key rotation.
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

Despite this very low exhaustion risk, you might be required to rotate your KMS keys due to business or contract rules or government regulations. When you are compelled to rotate KMS keys, we recommend that you use automatic key rotation where it is supported, and manual key rotation when automatic key rotation is not supported.

profile picture
EXPERT
Riku_Kobayashi
answered 6 months ago
  • alexx384
    6 months ago

    Thank you for your answer. You mentioned: "You may also disable it if you want to manage keys using manual rotation instead of automatic rotation. If you want to rotate keys more frequently than automatic key rotation, you will need to do it manually.". If I understand you correctly, you are saying that the option to disable should be used only for manual key rotation. But if enable the automatic key rotation, I still can perform the manual key rotation, without disabling the automatic one. So what is the point of having such an option in AWS KMS for CMK with key material created by AWS KMS?

  • alexx384
    6 months ago

    You mentioned, "This is considered to be a measure when there are applications that do not support automatic key rotation.". Sorry, I should have also mentioned in the question that it is about the symmetric CMK with key material created by AWS KMS. In this case, with the automatic key rotation option, the key rotation will happen automatically by AWS. Can you provide an example of an app that does not support automatic key rotation? How can an app be responsible for automatic key rotation if automatic key rotation logic is hidden by AWS?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content