How-To

Automatically Rotating Amazon Key Management Service Keys

• By Brien Posey
• 01/31/2022

One of Amazon's longstanding best practices for its Key Management Service in the AWS cloud is to rotate keys on a periodic basis. This causes the key material used for cryptographic operations to be changed, thus helping to ensure that encrypted items remain private. However, although the key material is changed when a key is rotated, other attributes such as the key's ID, ARN, policies and permissions are not changed. This means that you can rotate keys without having to worry about updating your applications as would be required if you were replacing the key.

In many cases, you can configure KMS to automatically rotate keys on an annual basis. That way, you don't have to worry about remembering to rotate keys or spending time manually performing key rotations. Even so, there are a couple of limitations that you need to be aware of.

First, keys are classified as either AWS Managed or as Customer Managed. You are able to enable or disable the rotation of Customer Managed keys, but you cannot change key rotation settings for Amazon Managed keys.

Another limitation is that assuming that you are working within the GUI interface, key rotation is managed on a key-by-key basis. Amazon provides bulk actions for things like enabling or deleting keys or scheduling key deletion, but there is no bulk action for enabling or disabling key rotation.

You can enable or disable the rotation of AWS keys by logging into the AWS Management Console and then opening the Key Management Service console. You can find the Key management Service listed within the Service list's Security, Identity and Compliance section.

Once the console opens, verify that you are in the correct region and then click on the Customer Managed Keys tab. This will take you to the Customer Managed Keys screen, which you can see in Figure 1. As you can see in the figure, this screen lists all of the Customer Managed keys that exist in the current region.

To change the key rotation settings for a key, click on either the key's Key ID or its alias. This will cause AWS to display the key policy and other key details. As you can see in Figure 2, there is a row of tabs about half way down the screen, and one of those tabs is called Key Rotation. Select the Key Rotation tab.

If a key is eligible for automatic rotation, then you will find a checkbox on the Key Rotation tab that you can select in order to automatically rotate they key on an annual basis. You can see what this looks like in Figure 3. Simply select the checkbox and click the Save button.

You may occasionally find that the Key Management tab is missing. If that happens, then go back to the screen shown in Figure 1 and take a look at the Key Spec column. This column should contain a value of SYMMETRIC_DEFAULT. This indicates that the key is a symmetric, single encryption key that can be used for both encryption and decryption operations. The reason why this is important is because automatic rotation can only be enabled or disabled for symmetric keys. You cannot change the automatic rotation settings for asymmetric keys. Instead, AWS displays a Public Key tab in place of the Key Rotation tab. You can see the tabs that exist for asymmetric keys in Figure 4.

It is worth noting that asymmetric keys are not the only type of keys for which automatic key rotation is not supported. You won't be able to use automatic key rotation for any key that contains imported material or that resides in a custom key store. Even so, you can manually rotate such keys.