Manual key rotation in AWS Key Management Service (KMS) is a security practice where you create a new Customer Master Key (CMK) to replace an existing one, then update your applications to use the new key. Unlike automatic key rotation, which AWS handles for you annually, manual rotation gives you …Manual key rotation in AWS Key Management Service (KMS) is a security practice where you create a new Customer Master Key (CMK) to replace an existing one, then update your applications to use the new key. Unlike automatic key rotation, which AWS handles for you annually, manual rotation gives you complete control over the timing and process of rotating your encryption keys.
When performing manual key rotation, you create an entirely new CMM with a different key ID and ARN. This differs from automatic rotation, where AWS generates new cryptographic material while keeping the same key ID. After creating the new key, you must update all references in your applications, scripts, and configurations to point to the new key identifier.
The manual rotation process typically involves several steps. First, create a new CMK in KMS. Then, update your application code and configurations to reference the new key. Next, re-encrypt any existing data that was encrypted with the old key using the new key. Finally, after confirming everything works correctly, you can schedule the old key for deletion after the mandatory waiting period of 7-30 days.
Manual rotation is particularly useful when you need to rotate keys more frequently than annually, when using asymmetric keys which do not support automatic rotation, or when you require imported key material. It is also necessary for keys in custom key stores.
To simplify management during manual rotation, AWS recommends using aliases. By pointing an alias to your current active key, you can update the alias to reference the new key instead of modifying application code. This approach reduces the complexity of key rotation across multiple services and applications.
Best practices include maintaining detailed documentation of which keys encrypt which data, implementing proper access controls on both old and new keys during transition periods, and ensuring you retain old keys until all data has been re-encrypted or is no longer needed.
Manual Key Rotation in AWS KMS
What is Manual Key Rotation?
Manual key rotation is the process of creating a new Customer Master Key (CMK) in AWS Key Management Service (KMS) and updating your applications to use the new key, while keeping the old key available for decrypting previously encrypted data. Unlike automatic key rotation, you control when and how the rotation occurs.
Why is Manual Key Rotation Important?
• Security Compliance: Many regulatory frameworks require periodic key rotation to minimize the risk of key compromise • Asymmetric Keys: AWS KMS does not support automatic rotation for asymmetric CMKs, so manual rotation is the only option • Imported Key Material: CMKs with imported key material cannot be automatically rotated • Greater Control: Organizations may need to rotate keys on a specific schedule or in response to security incidents • Key Material Changes: Unlike automatic rotation which keeps the same key ID, manual rotation creates entirely new cryptographic material
How Manual Key Rotation Works
1. Create a New CMK: Generate a new Customer Master Key in AWS KMS
2. Update Key Aliases: Point your existing alias to the new CMK. This is the recommended approach as applications using the alias will automatically use the new key
3. Re-encrypt Data (Optional): You may choose to re-encrypt existing data with the new key, though this is not always required
4. Retain Old Keys: Keep old CMKs in an enabled state to decrypt data that was encrypted with them, or re-encrypt all data and then disable/schedule deletion of old keys
5. Update Applications: If not using aliases, update application configurations to reference the new key ID
Key Differences: Manual vs Automatic Rotation
• Manual: Creates a new CMK with a new key ID and ARN • Automatic: Keeps the same key ID and ARN, only the backing key changes • Manual: Required for asymmetric keys and imported key material • Automatic: Only available for symmetric CMKs with AWS-generated key material
Exam Tips: Answering Questions on Manual Key Rotation
• When a question mentions asymmetric keys or imported key material, remember that manual rotation is required
• If asked about maintaining access to previously encrypted data after rotation, the answer involves keeping old keys enabled or re-encrypting data
• Questions about aliases often relate to simplifying key rotation - updating an alias is the cleanest way to rotate keys for applications
• Remember that manual rotation results in a new key ID, unlike automatic rotation
• For scenarios requiring different key material (not just backing key rotation), manual rotation is the answer
• If a question asks about rotating keys for HMAC KMS keys, the answer is manual rotation since automatic is not supported
• Watch for questions about key policies - new manually rotated keys need appropriate policies configured separately
• Cost considerations: Each CMK incurs charges, so manual rotation means paying for multiple keys if you keep old ones active