Automatic key rotation is supported only on symmetric encryption KMS keys.
You cannot enable or disable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. The key rotation status of these KMS keys is always false.
To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.
In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every
three years to every year. For details, see EnableKeyRotation.
The KMS key that you use for this operation must be in a compatible key state. For
details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account
use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Disables automatic rotation of the key material of the specified symmetric encryption KMS key.
Automatic key rotation is supported only on symmetric encryption KMS keys. You cannot enable or disable automatic rotation of asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in a custom key store. The key rotation status of these KMS keys is always
false. To enable or disable automatic rotation of a set of related multi-Region keys, set the property on the primary key.You can enable (EnableKeyRotation) and disable automatic rotation of the key material in customer managed KMS keys. Key material rotation of Amazon Web Services managed KMS keys is not configurable. KMS always rotates the key material for every year. Rotation of Amazon Web Services owned KMS keys varies.
In May 2022, KMS changed the rotation schedule for Amazon Web Services managed keys from every three years to every year. For details, see EnableKeyRotation.
The KMS key that you use for this operation must be in a compatible key state. For details, see Key states of KMS keys in the Key Management Service Developer Guide.
Cross-account use: No. You cannot perform this operation on a KMS key in a different Amazon Web Services account.
Required permissions: kms:DisableKeyRotation (key policy)
Related operations:
EnableKeyRotation
GetKeyRotationStatus
Use a bare-bones client and the command you need to make an API call.
import { KMSClient, DisableKeyRotationCommand } from "@aws-sdk/client-kms"; // ES Modules import // const { KMSClient, DisableKeyRotationCommand } = require("@aws-sdk/client-kms"); // CommonJS import const client = new KMSClient(config); const command = new DisableKeyRotationCommand(input); const response = await client.send(command);DisableKeyRotationCommandInput for command's
inputshape.DisableKeyRotationCommandOutput for command's
responseshape.config for KMSClient's
configshape.