I am planning to use KMS Keys for encryption of my EBS Volume. I am going for enabling the one year rotation of keys also. My doubt is regarding AWS suggested approach in case:
1) The CMK gets compromised.
Is it really a cause of concern? Is it possible first of all?
2) The volume encryption key (or Data Key) for my volume gets compromised.
I guess the option would be to reencrypt the volume. Option there are
a) CHANGE THE CMK ITSELF : Volume Snapshot –> Copy Snapshot with different CMK key –> attach it back. Is there any straight forward way to reencrypt the EBS volume with the new key?
b) CHANGE THE VOLUME ENCRYPTION KEY: Is there is an option to rotate the EBS volume encryption key and reencrypt the entire volume with that rotated volume encryption key so that the attack is mitigated. Here the CMK need not be changed or rotated as in option (a)
3) When the CMK is lost due to some highly unlikely incident.
Is multi region storage of the keys the answer?