- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hello, Your understanding about manual rotation of key is correct. You might prefer to rotate keys manually so you can control the rotation frequency. The process of replacing one KMS key with another is known as manual key rotation. Use an alias to refer to a KMS key in your applications. Then, when you want to change the KMS key that the application uses, instead of editing your application code, change the target KMS key of the alias.
Deleting/Retiring an AWS KMS key is destructive and potentially dangerous. After a KMS key is deleted, you can no longer decrypt the data that was encrypted under that KMS key, which means that data becomes unrecoverable. You should delete a KMS key only when you are sure that you don't need to use it anymore. So for DynamoDB tables, you need to encrypt data with new key before deleting old key. This is is to ensure that old key is not used anywhere to encrypt.
Useful articles: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 3 Jahren
- AWS OFFICIALAktualisiert vor 3 Monaten
- AWS OFFICIALAktualisiert vor einem Jahr