Source: AWS Security Blog

Author: Jeremy Stieglitz

URL: https://aws.amazon.com/blogs/security/how-to-use-on-demand-rotation-for-aws-kms-imported-keys/

ONE SENTENCE SUMMARY:

AWS KMS now supports on-demand rotation of imported symmetric encryption key material, enabling compliance without changing key identifiers.

MAIN POINTS:

1. AWS KMS introduces on-demand rotation for imported symmetric encryption key material (EXTERNAL origin).
2. Previously, rotation required creating new keys and updating references; now identifiers remain constant.
3. Imported keys can hold multiple key materials, rotating to the latest imported material on-demand.
4. Ciphertext includes a key material identifier for automatic selection during decryption.
5. API responses now include KeyMaterialId and CurrentKeyMaterialId for greater rotation transparency.
6. Rotation process involves importing new key material, setting rotation state, and initiating rotation.
7. AWS CLI and SDKs support on-demand key rotation, with new parameters for import-type.
8. Imported keys uniquely offer immediate expiry and deletion capabilities for enhanced control.
9. CloudTrail logging includes key material ID for improved auditability and compliance.
10. Pricing is simplified with a base cost and capped additional rotation charges after two rotations.

TAKEAWAYS:

1. Simplifies compliance and security audits through seamless, non-disruptive key rotation.
2. Enhances transparency and auditability with new API response fields and detailed CloudTrail logs.
3. Provides greater flexibility and control with immediate expiry and deletion of imported key material.
4. Reduces operational overhead by maintaining unchanged key identifiers during rotation.
5. Offers predictable costs by capping additional charges beyond the second rotation per month.