Technology Encyclopedia Home >What key rotation strategies does AWS KMS support?

What key rotation strategies does AWS KMS support?

Created on 2025-07-29 18:35:22
50

AWS Key Management Service (KMS) supports several key rotation strategies to enhance security and compliance. Here’s an explanation with examples and relevant Tencent Cloud services:

  1. Automatic Key Rotation (for Customer-Managed CMKs)

    • AWS KMS can automatically rotate Customer-Managed Customer Master Keys (CMKs) every 365 days (1 year) by default.
    • The old key material is retained for decryption of existing data, while new data is encrypted with the new key.
    • Example: If you enable automatic rotation for a CMK used to encrypt S3 objects, AWS will generate a new key version annually, ensuring long-term security.

  2. Manual Key Rotation

    • For AWS-Managed CMKs (e.g., used by S3, EBS), AWS handles rotation automatically (e.g., S3 uses monthly rotation for its default CMK).
    • For Customer-Managed CMKs, you can manually create a new key version and update applications to use it.
    • Example: If you have a CMK for encrypting database backups, you might manually rotate it quarterly and re-encrypt backups with the new key.

  3. Imported Key Material (No Automatic Rotation)

    • If you import your own key material into a CMK, automatic rotation is not supported. You must manage rotation manually by re-importing new key material and updating key aliases.
    • Example: For highly regulated environments, you might import a hardware security module (HSM)-generated key and rotate it annually.

  4. Key Deletion & Re-creation

    • As a last resort, you can delete an old CMK and create a new one, but this requires re-encrypting all data with the new key.

Tencent Cloud Equivalent:
For similar key management, Tencent Cloud offers KMS (Key Management Service), which supports:

  • Automatic rotation for customer-managed keys (configurable rotation period).
  • Manual rotation with version control.
  • Bring Your Own Key (BYOK) for imported key material (manual rotation required).
  • CMK lifecycle management with policies for key usage and expiration.

Example: In Tencent Cloud KMS, you can enable automatic rotation for a CMK used in COS (Cloud Object Storage) to ensure encrypted data remains secure over time.