- 最新
- 投票最多
- 评论最多
Hello.
Why does AWS provide an option to disable automatic AWS KMS key rotation for CMK with key material created by AWS KMS?
You may also disable it if you want to manage keys using manual rotation instead of automatic rotation.
If you want to rotate keys more frequently than automatic key rotation, you will need to do it manually.
Why is the automatic key rotation option disabled by default when you create AWS KMS CMK with key material created by AWS KMS?
This is considered to be a measure when there are applications that do not support automatic key rotation.
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
Despite this very low exhaustion risk, you might be required to rotate your KMS keys due to business or contract rules or government regulations. When you are compelled to rotate KMS keys, we recommend that you use automatic key rotation where it is supported, and manual key rotation when automatic key rotation is not supported.
相关内容
AWS 官方已更新 5 个月前- AWS 官方已更新 3 年前
Thank you for your answer. You mentioned: "You may also disable it if you want to manage keys using manual rotation instead of automatic rotation. If you want to rotate keys more frequently than automatic key rotation, you will need to do it manually.". If I understand you correctly, you are saying that the option to disable should be used only for manual key rotation. But if enable the automatic key rotation, I still can perform the manual key rotation, without disabling the automatic one. So what is the point of having such an option in AWS KMS for CMK with key material created by AWS KMS?
You mentioned, "This is considered to be a measure when there are applications that do not support automatic key rotation.". Sorry, I should have also mentioned in the question that it is about the symmetric CMK with key material created by AWS KMS. In this case, with the automatic key rotation option, the key rotation will happen automatically by AWS. Can you provide an example of an app that does not support automatic key rotation? How can an app be responsible for automatic key rotation if automatic key rotation logic is hidden by AWS?