Rotating key material
Authorized users can enable automatic annual rotation of their customer managed KMS keys. AWS managed keys are always rotated every year.
When a KMS key is rotated, a new HBK is created and marked as the current version of
the key material for all new encrypt requests. All previous versions of the HBK remain
available for use in perpetuity to decrypt any ciphertexts that were encrypted using this HBK
version. Because AWS KMS does not store any ciphertext encrypted under a KMS key, ciphertexts
encrypted under an older, rotated HBK require that HBK to decrypt. You can use the ReEncrypt
API to reencrypt any
ciphertext under the new HBK for the KMS key or under a different KMS key without exposing
the plaintext.
For information about enabling and disabling key rotation, see Rotating AWS KMS keys in the AWS Key Management Service Developer Guide.