Automatic Key Rotation in KMS
1. Customer-Managed KMS Keys (CMKs)
- Automatic rotation is supported only for symmetric keys (key spec:
SYMMETRIC_DEFAULT). - When enabled, AWS rotates the key material every year (every 365 days).
- Previous versions of the key are retained to allow decryption of old data.
- You can enable automatic rotation using the AWS Management Console, AWS CLI, or AWS SDK.
Example using AWS CLI:
aws kms enable-key-rotation --key-id <your-key-id>
2. Asymmetric KMS Keys
- Key rotation is not supported.
- If you want to rotate an asymmetric key, you must create a new key manually and update your applications to use it.
AWS-Managed Keys (such as those used by S3, EBS, etc.)
- AWS handles rotation automatically every 3 years.
- You cannot enable, disable, or customize rotation for these keys.
Notes
- Rotation only changes the cryptographic key material, not the key ID or alias.
- You can implement manual key rotation by creating a new key and updating your systems to use it.
Would you like steps to enable automatic rotation or guidance on setting up manual rotation?