- Newest
- Most votes
- Most comments
First part: plain information
The private information never comes out of the KMS service. It is described in the FAQ here
KMS FAQs look for "Q: Can symmetric KMS keys be exported out of the service in plain text?"
Second part: rotation
KMS key rotation is optional but recommended.
Rotating a KMS key does not rotate the data keys that the KMS key generated or re-encrypt any data protected by the KMS key, and it will not mitigate the effect of a compromised data key. (Actual mitigation would involve re-encrypting the data with newly acquired data keys).
When you use a rotated KMS key to encrypt data, AWS KMS uses the current key material. When you use the rotated KMS key to decrypt ciphertext, AWS KMS uses the version of the key material that was used to encrypt it. You cannot request a particular version of the key material. Because AWS KMS transparently decrypts with the appropriate key material, you can safely use a rotated KMS key in applications and AWS services without code changes.
Relevant content
- Accepted Answerasked 3 months ago
- asked 4 months ago
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 months ago