KMS Key Rotation

0

IHAC who has an organizational requirement to rotate the KMS key every 6 months. Currently, they have auto-rotation enabled for a year. Additionally, in case of an incident they want to rotate the key immediately. Is this possible?

AWS
질문됨 2달 전150회 조회
2개 답변
2
수락된 답변

As of May 2024, it is now possible to rotate customer-managed KMS keys (CMK) on demand through the Management Console or CLI (using the RotateKeyOnDemand API) in all regions. Keys that are not eligible for on-demand rotation include imported keys, asymmetric keys, HMAC keys, and keys generated in an CloudHSM custom key store feature. Amazon-managed KMS keys are automatically rotated every year and cannot be rotated on-demand.

You can rotate a CMK on demand regardless or not if automatic key rotation is enabled. To rotate a key on demand from the Management Console:

  1. In your account, go to the Key Management Service console.
  2. Select the alias of the CMK key you’d like to rotate.
  3. Select Key Rotation.
  4. In On-Demand Key Rotation, click Rotate Now.

To ensure that a key rotation is successful, view the Key Rotation History panel for all past completed key rotations.

Each CMK has a lifetime maximum of 10 rotations. The number of remaining rotations is displayed under On-Demand Key Rotation. It is not currently possible to surpass this limit. To rotate a key on demand from CLI, use the RotateKeyOnDemand API (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/rotate-key-on-demand.html)

aws kms rotate-key-on-demand
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab

Use the GetKeyRotationStatus API to identify any in-progress on-demand rotations (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/get-key-rotation-status.html)

To ensure that a key rotation was performed successfully, use the ListKeyRotations API to list all completed on-demand rotations of a key (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-key-rotations.html)

AWS
답변함 2달 전
profile picture
전문가
검토됨 2달 전
0

You can rotate the key any time you like, up to 10 times. The process is described in documentation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand

On a side note and perhaps on a topic you may know full well, while your customer might know less about, I'm not sure how thoroughly your customer has thought their requirements through. If they have an incident on their side, it wouldn't be the KMS key primarily used for envelope encryption that would be exposed, in practice. It would conceivably be one or several of the data keys encrypted with the KMS key that could be compromised. The data keys previously used to encrypt data wouldn't be affected by the KMS key getting rotated, i.e. by the new KMS key version getting generated. It's just new data keys that would start to get encrypted with the new KMS key version.

If your customer wants their data to be re-encrypted in case of an incident that might have exposed their data keys, the data would have to be re-encrypted with new data keys, which themselves would be encrypted with the new KMS key version.

전문가
Leo K
답변함 2달 전
profile picture
전문가
검토됨 2달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠