Ben Oram

Quick notes on tech, AWS, .NET & containers

kms

| 1 min read

AWS managed keys are rotated automatically every 3 years. For these keys, there is not a way to manually trigger a key rotation, or change the rotation schedule. These are AWS Managed Keys after all :)

Customer managed keys in KMS have more flexibility. While key rotation is not required, they can be configured automatically rotate every year. In addition, key rotation may be triggered manually, or a rotation can be triggered manually or through API.

To enable manual rotation, make sure that all key references are through an alias. Aliases enable manual key rotation by allowing you to point the alias to a new key at any time.

References