- 最新
- 最多得票
- 最多評論
As of May 2024, it is now possible to rotate customer-managed KMS keys (CMK) on demand through the Management Console or CLI (using the RotateKeyOnDemand API) in all regions. Keys that are not eligible for on-demand rotation include imported keys, asymmetric keys, HMAC keys, and keys generated in an CloudHSM custom key store feature. Amazon-managed KMS keys are automatically rotated every year and cannot be rotated on-demand.
You can rotate a CMK on demand regardless or not if automatic key rotation is enabled. To rotate a key on demand from the Management Console:
- In your account, go to the Key Management Service console.
- Select the alias of the CMK key you’d like to rotate.
- Select Key Rotation.
- In On-Demand Key Rotation, click Rotate Now.
To ensure that a key rotation is successful, view the Key Rotation History panel for all past completed key rotations.
Each CMK has a lifetime maximum of 10 rotations. The number of remaining rotations is displayed under On-Demand Key Rotation. It is not currently possible to surpass this limit. To rotate a key on demand from CLI, use the RotateKeyOnDemand API (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/rotate-key-on-demand.html)
aws kms rotate-key-on-demand
--key-id 1234abcd-12ab-34cd-56ef-1234567890ab
Use the GetKeyRotationStatus API to identify any in-progress on-demand rotations (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/get-key-rotation-status.html)
To ensure that a key rotation was performed successfully, use the ListKeyRotations API to list all completed on-demand rotations of a key (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/list-key-rotations.html)
You can rotate the key any time you like, up to 10 times. The process is described in documentation: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-on-demand
On a side note and perhaps on a topic you may know full well, while your customer might know less about, I'm not sure how thoroughly your customer has thought their requirements through. If they have an incident on their side, it wouldn't be the KMS key primarily used for envelope encryption that would be exposed, in practice. It would conceivably be one or several of the data keys encrypted with the KMS key that could be compromised. The data keys previously used to encrypt data wouldn't be affected by the KMS key getting rotated, i.e. by the new KMS key version getting generated. It's just new data keys that would start to get encrypted with the new KMS key version.
If your customer wants their data to be re-encrypted in case of an incident that might have exposed their data keys, the data would have to be re-encrypted with new data keys, which themselves would be encrypted with the new KMS key version.
相關內容
- AWS 官方已更新 10 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 5 個月前