Key rotation for AWS KMS and scope of impact

We do not recommend AWS Key Management Service (AWS KMS) key rotation unless you are required to rotate keys for regulatory compliance. For example, you might be required to rotate your KMS keys due to business policies, contract rules, or government regulations. The design of AWS KMS significantly reduces the types of risk that key rotation is typically used to mitigate. If you must rotate KMS keys, we recommend that you use automatic key rotation and use manual key rotation only if automatic key rotation is not supported.

AWS KMS symmetric key rotation

AWS KMS supports automatic key rotation only for symmetric encryption KMS keys with key material that AWS KMS creates. Automatic rotation is optional for customer managed KMS keys. On an annual basis, AWS KMS rotates the key material for AWS managed KMS keys. AWS KMS saves all previous versions of the cryptographic material in perpetuity, so you can decrypt any data that is encrypted with that KMS key. AWS KMS does not delete any rotated key material until you delete the KMS key. Also, when you decrypt an object by using AWS KMS, the service determines the correct backing material to use for the decrypt operation; no additional input parameters need to be supplied.

Because AWS KMS retains previous versions of the cryptographic key material and because you can use that material to decrypt data, key rotation doesn't provide any additional security benefits. The key rotation mechanism exists to make it easier to rotate keys if you are operating a workload in a context where regulatory or other requirements demand it.

Key rotation for Amazon EBS volumes

You can rotate Amazon Elastic Block Store (Amazon EBS) data keys by using one of the following approaches. The approach depends on your workflows, deployment methods, and application architecture. You might want to do this when changing from an AWS managed key to a customer managed key.

To use operating system tools to copy the data from one volume to another

1. Create the new KMS key. For instructions, see Create a KMS key.

2. Create a new Amazon EBS volume that is the same size as or larger than the original. For encryption, specify the KMS key that you created. For instructions, see Create an Amazon EBS volume.

3. Mount the new volume on the same instance or container as the original volume. For instructions, see Attach an Amazon EBS volume to an Amazon EC2 instance.

4. Using your preferred operating system tool, copy data from the existing volume to the new volume.

5. When the sync is complete, during a pre-scheduled maintenance window, stop the traffic to the instance. For instructions, see Manually stop and start your instances.

6. Unmount the original volume. For instructions, see Detach an Amazon EBS volume from an Amazon EC2 instance.

7. Mount the new volume to the original mount point.

8. Verify that the new volume is operating correctly.

9. Delete the original volume. For instructions, see Delete an Amazon EBS volume.

To use an Amazon EBS snapshot to copy the data from one volume to another

1. Create the new KMS key. For instructions, see Create a KMS key.

2. Create an Amazon EBS snapshot of the original volume. For instructions, see Create Amazon EBS snapshots.

3. Create a new volume from the snapshot. For encryption, specify the new KMS key that you created. For instructions, see Create an Amazon EBS volume.

   Note

   Depending on your workload, you might want to use Amazon EBS fast snapshot restore to minimize initial latency on the volume.

4. Create a new Amazon EC2 instance. For instructions, see Launch an Amazon EC2 instance.

5. Attach the volume that you created to the Amazon EC2 instance. For instructions, see Attach an Amazon EBS volume to an Amazon EC2 instance.

6. Rotate the new instance into production.

7. Rotate the original instance out of production and delete it. For instructions, see Delete an Amazon EBS volume.

Note

It is possible to copy snapshots and modify the encryption key used for the target copy. After you copy the snapshot and encrypt it with your preferred KMS keys, you can also create an Amazon Machine Image (AMI) from snapshots. For more information, see Amazon EBS encryption in the Amazon EC2 documentation.

Key rotation for Amazon RDS

For some services, such as Amazon Relational Database Service (Amazon RDS), data encryption occurs within the service and is provided by AWS KMS. Use the following instructions to rotate a key for an Amazon RDS database instance.

To rotate a KMS key for an Amazon RDS database

1. Create a snapshot of the original encrypted database. For instructions, see Managing manual backups in the Amazon RDS documentation.

2. Copy the snapshot to a new snapshot. For encryption, specify the new KMS key. For instructions, see Copying a DB snapshot for Amazon RDS.

3. Use the new snapshot to create a new Amazon RDS cluster. For instructions, see Restoring to a DB instance in the Amazon RDS documentation. By default, the cluster uses the new KMS key.

4. Verify the operation of the new database and the data in it.

5. Rotate the new database into production.

6. Rotate the old database out of production and delete it. For instructions, see Deleting a DB instance.

Key rotation for Amazon S3 and Same-Region Replication

For Amazon Simple Storage Service (Amazon S3), to change the encryption key of an object, you need to read and rewrite the object. When you rewrite the object, you explicitly specify the new encryption key in the write operation. To do this for many objects, you can use Amazon S3 Batch Operations. Within the job settings, for the copy operation, specify the new encryption settings. For example, you might choose SSE-KMS and enter the keyId.

Alternatively, you could use Amazon S3 Same-Region Replication (SRR). SSR can re-encrypt the objects in transit.

Rotating KMS keys with imported material

AWS KMS does not recover or rotate your imported key material. To rotate a KMS key with imported key material, you must rotate the key manually.