How can I manually rotate customer managed keys in AWS KMS?

Last updated: 2021-06-25

AWS Key Management Service (AWS KMS) rotates KMS keys automatically once per year. How can I manually rotate KMS keys before they're automatically rotated once per year?

Resolution

Use manual key rotation to create a new KMS key to replace the current key.

This example shows how to rotate your current AWS KMS key with a new key that you rotate to.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

1.    Create an alias named application-current, and then attach it to the new KMS key:

acbc32cf8f6f:~ $$ aws kms create-alias --alias-name alias/application-current --target-key-id 0987dcba-09fe-87dc-65ba-ab0987654321
acbc32cf8f6f:~ $$ aws kms list-aliases --output text | grep application
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-current    alias/application-current    0987dcba-09fe-87dc-65ba-ab0987654321

2.    Create a new alias named "application-20180606" that includes the rotation date (in this example, "2018-06-06") as part of its name for the KMS key to be rotated. The AWS KMS key has two aliases:

acbc32cf8f6f:~ $$ aws kms create-alias --alias-name alias/application-20180606 --target-key-id 0987dcba-09fe-87dc-65ba-ab0987654321
acbc32cf8f6f:~ $$ aws kms list-aliases --output text | grep application
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-20180606    alias/application-20180606    0987dcba-09fe-87dc-65ba-ab0987654321
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-current     alias/application-current     0987dcba-09fe-87dc-65ba-ab0987654321

3.    Create a new AWS KMS key similar to the following:

acbc32cf8f6f:~ $$ aws kms create-key
{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "9bf76697-5b41-4caf-9fe1-e23bbe20f858",
        "Description": "",
        "KeyManager": "CUSTOMER",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1528289057.531,
        "Arn": "arn:aws:kms:eu-west-1:123456789012:key/9bf76697-5b41-4caf-9fe1-e23bbe20f858",
        "AWSAccountId": "123456789012"
    }
}

4.    Associate the application-current alias to the new KMS key:

$$ aws kms update-alias --alias-name alias/application-current --target-key-id NEW_KMS_KEY_ID

5.    You have both the new and the current AWS KMS keys. Use the application-current key to encrypt data. AWS KMS automatically resolves the KMS key when it decrypts the data:

acbc32cf8f6f:~ $$ aws kms list-aliases --output text | grep application
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-20180606    alias/application-20180606    0987dcba-09fe-87dc-65ba-ab0987654321
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-current     alias/application-current     9b5d79d7-f04c-4b30-baf1-deed52a7cc97

Important: Keep the current KMS key as a backup to track when key rotation occurred or to roll back changes.

Note: Users with an existing key must copy that policy to the application-current key.

6.    Sign in to the KMS console and choose Customer managed keys.

7.    In Alias, choose the current key.

8.    In Key Policy, choose Switch to policy view.

9.    Copy the current policy, and then choose Customer managed keys.

10.    In Alias, choose application-current.

11.    In Key Policy, choose Edit, delete the application-current policy, paste the current policy, and then choose Save Changes.


Did this article help?


Do you need billing or technical support?