AWS Key Management Service (KMS) Key Rotation

AWS KMS allows for the secure management of encryption keys used to encrypt data. Key rotation is a critical aspect of maintaining the security of encrypted data over time. AWS KMS offers two types of key rotation for customer-managed customer master keys (CMKs):

Automatic Key Rotation

• Frequency: Occurs automatically every one year for customer-managed CMKs (not applicable to AWS-managed CMKs).
• Key ID Unchanged: The CMK ID remains the same, ensuring seamless application integration. Only the backing key (the cryptographic material) is changed.
• Old Key Retention: The old backing key is preserved to ensure continued access to data encrypted with it.
• Non-configurable Period: The rotation period is fixed at one year and cannot be altered.

Manual Key Rotation

• Flexibility in Frequency: Users can rotate keys manually at any desired frequency (e.g., every 90 or 180 days).
• New Key ID: Each manually rotated key gets a new CMK ID.
• Old Key Preservation: The previous key remains active for decrypting old data, preventing data loss.
• Use of Aliases: It's recommended to use aliases for encryption and decryption operations. Aliases decouple the actual CMK from the application, making key rotation transparent to the application layer.

Implementing Manual Key Rotation with Aliases

• Before Rotation: An alias (e.g., MyCustomKey) points to the original CMK ID and its backing key.
• During Rotation: A new CMK is created (with a new CMK ID and backing key), and the alias is updated to point to this new key.
• Update Process: The UpdateAlias API call is used to point the alias to the new CMK, making the rotation transparent to applications.

Key Points for Exams

• Automatic Rotation Period: Fixed at one year.
• Manual Rotation Flexibility: Can be set to shorter periods like 90 or 180 days, based on security requirements.
• Aliases: Using aliases for key management can simplify the process of key rotation and make it transparent to applications.