KMS Key Rotation

0

IHAC who has an organizational requirement to rotate the KMS key every 6 months. Currently, they have auto-rotation enabled for a year. Additionally, in case of an incident they want to rotate the key immediately. Is this possible?

2回答
2
承認された回答

As of May 2024, it is now possible to rotate customer-managed KMS keys (CMK) on demand through the Management Console or CLI (using the RotateKeyOnDemand API) in all regions. Keys that are not eligible for on-demand rotation include imported keys, asymmetric keys, HMAC keys, and keys generated in an CloudHSM custom key store feature. Amazon-managed KMS keys are automatically rotated every year and cannot be rotated on-demand.

You can rotate a CMK on demand regardless or not if automatic key rotation is enabled. To rotate a key on demand from the Management Console:

  1. In your account, go to the Key Management Service console.
  2. Select the alias of the CMK key you’d like to rotate.
  3. Select Key Rotation.
  4. In On-Demand Key Rotation, click Rotate Now.

To ensure that a key rotation is successful, view the Key Rotation History panel for all past completed key rotations.

Each CMK has a lifetime maximum of 10 rotations. The number of remaining rotations is displayed under On-Demand Key Rotation. It is not currently possible to surpass this limit. To rotate a key on demand from CLI, use the RotateKeyOnDemand API (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/rotate-key-on-demand.html)

aws kms rotate-key-on-demand
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab

Use the GetKeyRotationStatus API to identify any in-progress on-demand rotations (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/get-key-rotation-status.html)

To ensure that a key rotation was performed successfully, use the ListKeyRotations API to list all completed on-demand rotations of a key (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-key-rotations.html)

AWS
回答済み 1ヶ月前
profile picture
エキスパート
レビュー済み 1ヶ月前
0

You can rotate the key any time you like, up to 10 times. The process is described in documentation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand

On a side note and perhaps on a topic you may know full well, while your customer might know less about, I'm not sure how thoroughly your customer has thought their requirements through. If they have an incident on their side, it wouldn't be the KMS key primarily used for envelope encryption that would be exposed, in practice. It would conceivably be one or several of the data keys encrypted with the KMS key that could be compromised. The data keys previously used to encrypt data wouldn't be affected by the KMS key getting rotated, i.e. by the new KMS key version getting generated. It's just new data keys that would start to get encrypted with the new KMS key version.

If your customer wants their data to be re-encrypted in case of an incident that might have exposed their data keys, the data would have to be re-encrypted with new data keys, which themselves would be encrypted with the new KMS key version.

エキスパート
Leo K
回答済み 1ヶ月前
profile picture
エキスパート
レビュー済み 1ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ