KMS Key Rotation

0

IHAC who has an organizational requirement to rotate the KMS key every 6 months. Currently, they have auto-rotation enabled for a year. Additionally, in case of an incident they want to rotate the key immediately. Is this possible?

AWS
已提问 2 个月前150 查看次数
2 回答
2
已接受的回答

As of May 2024, it is now possible to rotate customer-managed KMS keys (CMK) on demand through the Management Console or CLI (using the RotateKeyOnDemand API) in all regions. Keys that are not eligible for on-demand rotation include imported keys, asymmetric keys, HMAC keys, and keys generated in an CloudHSM custom key store feature. Amazon-managed KMS keys are automatically rotated every year and cannot be rotated on-demand.

You can rotate a CMK on demand regardless or not if automatic key rotation is enabled. To rotate a key on demand from the Management Console:

  1. In your account, go to the Key Management Service console.
  2. Select the alias of the CMK key you’d like to rotate.
  3. Select Key Rotation.
  4. In On-Demand Key Rotation, click Rotate Now.

To ensure that a key rotation is successful, view the Key Rotation History panel for all past completed key rotations.

Each CMK has a lifetime maximum of 10 rotations. The number of remaining rotations is displayed under On-Demand Key Rotation. It is not currently possible to surpass this limit. To rotate a key on demand from CLI, use the RotateKeyOnDemand API (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/rotate-key-on-demand.html)

aws kms rotate-key-on-demand
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab

Use the GetKeyRotationStatus API to identify any in-progress on-demand rotations (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/get-key-rotation-status.html)

To ensure that a key rotation was performed successfully, use the ListKeyRotations API to list all completed on-demand rotations of a key (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-key-rotations.html)

AWS
已回答 2 个月前
profile picture
专家
已审核 2 个月前
0

You can rotate the key any time you like, up to 10 times. The process is described in documentation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand

On a side note and perhaps on a topic you may know full well, while your customer might know less about, I'm not sure how thoroughly your customer has thought their requirements through. If they have an incident on their side, it wouldn't be the KMS key primarily used for envelope encryption that would be exposed, in practice. It would conceivably be one or several of the data keys encrypted with the KMS key that could be compromised. The data keys previously used to encrypt data wouldn't be affected by the KMS key getting rotated, i.e. by the new KMS key version getting generated. It's just new data keys that would start to get encrypted with the new KMS key version.

If your customer wants their data to be re-encrypted in case of an incident that might have exposed their data keys, the data would have to be re-encrypted with new data keys, which themselves would be encrypted with the new KMS key version.

专家
Leo K
已回答 2 个月前
profile picture
专家
已审核 2 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则