Certified Security - Specialty

Sign Up Free or Log In to participate!

Manual KMS CMK rotation

If I understood correctly, either if you want to rotate a CMK with KMS imported key material (<1year) or if you want to rotate a CMK with customer imported key material, you have to create a new CMK following this process: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually

Initial Status: CMK1 with aliasA + apps using aliasA

Step1: Create new CMK2 with new key material

Step2: Update CMK2 to be linked to aliasA

According to the doc:

"When you begin using the new CMK, be sure to keep the original CMK enabled so that AWS KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the same CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, AWS KMS can decrypt any data that was encrypted by either CMK."

How is this possible if CMK1 and CMK2 are different resources? Does this apply to both cases: KMS key material and customer key material?


1 Answers

KMS knows which CMK key ID it used to encrypt a file, so it will try to use the same key ID to decrypt the file. That is why you need to keep the original CMK in an active state if you want to be able to decrypt files that were encrypted using this key, and KMS will know which key to use. This applies to Customer managed CMKs with AWS provided key material a well as CMKs with imported key material.

The use of a key alias is completely optional, each CMK can have multiple aliases, but each alias points to only one CMK : https://docs.aws.amazon.com/kms/latest/developerguide/programming-aliases.html

I’m not sure if this answers your question, so please let me know if it doesn’t!



It helped, thanks! I think they key is to understand that when performing a Decrypt operation with KMS, you send the encrypted data key (that was used to encrypt the object), but you don´t specify anything related the CMK. It is up to KMS to detect the CMK that was used based on that encrypted data key

Alec Whitehouse

I was just going to ask about how to make sure you can retain backing keys for imported key material upon manual rotation. Looks like more administrative work but customer imported key material is a requirement in many enterprises.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?