How CMK manual rotation work

Question

I'm trying to understand how CMK manual rotation works and get it right.

As far as I understand from this article, https://repost.aws/knowledge-center/rotate-keys-customer-managed-kms,

- manual rotation is basically creating a new key 
- and set the alias if my applications are using it or update my applications to use the newly created key
- keep and leave the old key so the applications can still decrypt the data that's been encrypted with the old key

Does this mean the number of keys just keep increasing at every rotation?
For example if I'm required to do the key rotation at every 3 months, 
I have +4 keys every year?

If the case was for DynamoDB client side encryption, then to retire any old key, how does it go?
Do I have to scan all items and do re-encryption to be able to finally retire and remove on old key?

Accepted Answer

Hello,
Your understanding about manual rotation of key is correct. You might prefer to rotate keys manually so you can control the rotation frequency. The process of replacing one KMS key with another is known as manual key rotation. Use an alias to refer to a KMS key in your applications. Then, when you want to change the KMS key that the application uses, instead of editing your application code, change the target KMS key of the alias.

Deleting/Retiring an AWS KMS key is destructive and potentially dangerous. After a KMS key is deleted, you can no longer decrypt the data that was encrypted under that KMS key, which means that data becomes unrecoverable. You should delete a KMS key only when you are sure that you don't need to use it anymore. So for DynamoDB tables, you need to encrypt data with new key before deleting old key. This is is to ensure that old key is not used anywhere to encrypt.

Useful articles:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html

How CMK manual rotation work

관련 콘텐츠