Using AWS KMS with Customer managed asymmetric keys. Is it even possible for a key to become compromised – can anyone point to an AWS resource that states that (as AWS admin I can’t see the private key so how could anyone else)?
Assuming it is possible how would go about rotating they keys? For symetric keys this only seems possible on a schedule e.g. once a year, but how would you do this on demand?