If I understood correctly, either if you want to rotate a CMK with KMS imported key material (<1year) or if you want to rotate a CMK with customer imported key material, you have to create a new CMK following this process: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
Initial Status: CMK1 with aliasA + apps using aliasA
Step1: Create new CMK2 with new key material
Step2: Update CMK2 to be linked to aliasA
According to the doc:
"When you begin using the new CMK, be sure to keep the original CMK enabled so that AWS KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the same CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, AWS KMS can decrypt any data that was encrypted by either CMK."
How is this possible if CMK1 and CMK2 are different resources? Does this apply to both cases: KMS key material and customer key material?
Thanks!
1 Answers
KMS knows which CMK key ID it used to encrypt a file, so it will try to use the same key ID to decrypt the file. That is why you need to keep the original CMK in an active state if you want to be able to decrypt files that were encrypted using this key, and KMS will know which key to use. This applies to Customer managed CMKs with AWS provided key material a well as CMKs with imported key material.
The use of a key alias is completely optional, each CMK can have multiple aliases, but each alias points to only one CMK : https://docs.aws.amazon.com/kms/latest/developerguide/programming-aliases.html
I’m not sure if this answers your question, so please let me know if it doesn’t!
Faye
It helped, thanks! I think they key is to understand that when performing a Decrypt operation with KMS, you send the encrypted data key (that was used to encrypt the object), but you don´t specify anything related the CMK. It is up to KMS to detect the CMK that was used based on that encrypted data key
I was just going to ask about how to make sure you can retain backing keys for imported key material upon manual rotation. Looks like more administrative work but customer imported key material is a requirement in many enterprises.