How can I manually rotate customer managed CMKs in AWS KMS?

Last updated: 2019-04-12

AWS Key Management Service (AWS KMS) rotates customer master keys (CMKs) automatically once per year. How can I manually rotate CMKs before they're automatically rotated once per year?

Resolution

Use manual key rotation to create a new CMK to replace the current CMK.

This example shows how to rotate your current CMK out with a new CMK that we rotate to.

Important: Before you begin, you must have the AWS Command Line Interface (AWS CLI) installed and configured.

1.    Create an alias named application-current, and then attach it to the new CMK:

acbc32cf8f6f:~ $$ aws kms create-alias --alias-name alias/application-current --target-key-id 0987dcba-09fe-87dc-65ba-ab0987654321
acbc32cf8f6f:~ $$ aws kms list-aliases --output text | grep application
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-current    alias/application-current    0987dcba-09fe-87dc-65ba-ab0987654321

2.    Create a new alias named "application-20180606" that includes the rotation date (in this example, "2018-06-06") as part of its name for the KMS key to be rotated. The CMK has two aliases:

acbc32cf8f6f:~ $$ aws kms create-alias --alias-name alias/application-20180606 --target-key-id 0987dcba-09fe-87dc-65ba-ab0987654321
acbc32cf8f6f:~ $$ aws kms list-aliases --output text | grep application
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-20180606    alias/application-20180606    0987dcba-09fe-87dc-65ba-ab0987654321
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-current     alias/application-current     0987dcba-09fe-87dc-65ba-ab0987654321

3.    Create a new CMK similar to the following:

acbc32cf8f6f:~ $$ aws kms create-key
{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "9bf76697-5b41-4caf-9fe1-e23bbe20f858",
        "Description": "",
        "KeyManager": "CUSTOMER",
        "Enabled": true,
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1528289057.531,
        "Arn": "arn:aws:kms:eu-west-1:123456789012:key/9bf76697-5b41-4caf-9fe1-e23bbe20f858",
        "AWSAccountId": "123456789012"
    }
}

4.    Associate the application-current alias to the new CMK:

$$ aws kms update-alias --alias-name alias/application-current --target-key-id NEW_KMS_KEY_ID

5.    You have both the new and the current CMKs. Use the application-current key to encrypt data. AWS KMS automatically resolves the CMK when it decrypts the data:

acbc32cf8f6f:~ $$ aws kms list-aliases --output text | grep application
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-20180606    alias/application-20180606    0987dcba-09fe-87dc-65ba-ab0987654321
ALIASES    arn:aws:kms:eu-west-1:123456789012:alias/application-current     alias/application-current     9b5d79d7-f04c-4b30-baf1-deed52a7cc97

Important: Keep the current CMK as a backup to track when key rotation occurred or to roll back changes.

Note: Users with an existing key must copy that policy to the application-current key.

6.    Sign in to the KMS console and choose Customer managed keys.

7.    In Alias, choose the current key.

8.    In Key Policy, choose Switch to policy view.

9.    Copy the current policy, and then choose Customer managed keys.

10.   In Alias, choose application-current.

11.   In Key Policy, choose Edit, delete the application-current policy, paste the current policy, and then choose Save Changes.


Did this article help you?

Anything we could improve?


Need more help?