AWS Key Management Service
Developer Guide

Rotating Keys

When you create a customer master key (CMK) in AWS KMS, the service creates a key ID for the CMK and key material referred to as a backing key that is tied to the key ID of the CMK. If you choose to enable key rotation for a given CMK, AWS KMS will create a new version of the backing key for each rotation. It is the backing key that is used to perform cryptographic operations such as encryption and decryption.

When you choose a CMK to encrypt new data, AWS KMS automatically uses the latest version of the backing key to perform the encryption. When you want to decrypt data, AWS KMS automatically determines the correct version of the backing key to use. From your point of view, your CMK is simply a logical resource that does not change regardless of whether or how many times the underlying backing keys have been rotated.

Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. If you want to prevent decryption of old ciphertexts, you can create a new CMK and change your alias to point to the new key. You can then control when you choose to disable the old key. Disabling a CMK prevents the backing keys tied to it from being used to encrypt or to decrypt.

For more detailed information about backing keys and rotation, see the KMS Cryptographic Details whitepaper.