When a key is rotated by KMS, does that mean that all data previously encrypted with the key will be re-encrypted (ie, decrypted with expiring key and encrypted with new key) automatically? Does this imply that KMS tracks where specific keys have been used and can handle the re-encryption automatically? Thanks!
1 Answers
The reason KMS encryption is a little more advanced and costly than S3 Managed Keys encryption is that in addition to regularly rotating the master key to insure security, it also places your key into an envelope key, which protects your key one step further. Audit trails are also supplied to help you see where your key has been used and how it has been accessed. So, in general, the KMS can track keys and re-encrypt automatically, all because it is a little more advanced.
Thanks for your reply! So, is the rotation limited to just the master key? Does that imply that the just the data keys get re-encrypted upon rotation of the master key (ie, data keys don’t get rotated and hence their data is not re-encrypted)?