When a key is rotated by KMS, does that mean that all data previously encrypted with the key will be re-encrypted (ie, decrypted with expiring key and encrypted with new key) automatically? Does this imply that KMS tracks where specific keys have been used and can handle the re-encryption automatically? Thanks!
The reason KMS encryption is a little more advanced and costly than S3 Managed Keys encryption is that in addition to regularly rotating the master key to insure security, it also places your key into an envelope key, which protects your key one step further. Audit trails are also supplied to help you see where your key has been used and how it has been accessed. So, in general, the KMS can track keys and re-encrypt automatically, all because it is a little more advanced.