Certified Security - Specialty

Sign Up Free or Log In to participate!

What is a customer-managed CMK?

So from what I was understanding, a customer-managed CMK means that it is a CMK with imported key material. 

Imported key material cannot be automatically rotated, as stated in AWS documentation: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-considerations

However there is this page which states that customer-managed CMKs can be automatically rotated every 365 days: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

So then, what is a customer-managed CMK? Does it not mean that you have a CMK with imported key material?

1 Answers

Hi Leneche

When it comes to customer-managed CMKs, you have the option to either choose an external KeyMaterial or Key Material generated by KMS.

I believe the automatic rotation (optional) is available for symmetric customer managed CMKs that use AWS KMS. 

Please refer to the following FAQs page for more information. (espl. the question Why should I create my own customer master keys?)





Thanks Anirudh! I’ll look into the FAQs


I see that it states "You can define an alias and description for the key and opt-in to have the key automatically rotated once per year if it was generated by AWS KMS."

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?