KMS allows you to rotate keys between key versions to enhance the security of key use and business data encryption. This section introduces how to configure the rotation of symmetric and asymmetric keys.

Benefits of Key Rotation

Password compliance requirements

According to the specifications in relevant industry standards, keys must be rotated periodically.

Reduce the amount of data that. is encrypted by using each key, which mitigates the risks of cryptanalysis attacks.

The security of a key is inversely proportional to the amount of data that is encrypted by using the key. In most cases, the amount refers to the total number of bytes that are encrypted by using a key. Regular rotation reduces the attack surface of each key and improves the security of key-based encryption solutions.

Reduce the time window during which keys can be cracked.

After key rotation is enabled, the data that is encrypted by using an existing key can be encrypted by using a new key. The interval of key rotation is considered the time window during which a key can be cracked. An attacker can gain data access only if the attacker cracks a key in an interval between two rotation operations of the key. This greatly increases the security of data against cryptanalytic attacks.

Key Version Overview

KMS supports multiple versions of keys for CMKs. Each key version is independently generated, and multiple key versions under the same CMK are cryptographically unrelated.

Symmetric Key Version

A key version can be automatically generated by the system through the automatic rotation policy.

A symmetric key version contains a primary version and multiple non-primary versions. After a key is created, KMS generates an initial key version and sets the initial key version to the primary version. After the key is rotated, KMS generates a new key version and sets the new key version to the primary version.

When the symmetric key is invoked for encryption and decryption operations, KMS uses the primary version by default.

KMS will not delete or disable non-primary versions after a new primary version is generated by key rotation, and these non-primary versions are used to decrypt data.

Asymmetric Key Version

Asymmetric keys do not support automatic rotation. You need to manually create a new key version, which will take effect immediately after creation.

Asymmetric CMKs do not have a primary key version. Therefore, you must specify the corresponding CMK ID or CMK alias and a key version if you need to call the APIs related to asymmetric keys.

Operation Steps

Configure Automatic Rotation (Symmetric Keys)

1. Log in to the KMS console;

2. In the navigation bar at the top of the page, select the area where the key is located.

3. In the left navigation bar, click KMS to enter the key list.

4. Locate the symmetric key and click the key ID to go to the Key Details page.

5. In the Key Version area, click Configure Rotation Policy;

6. In the Configure Rotation Policy dialog box, select the rotation period, including 30 days, 90 days, 180 days, or Customize.

7. After the automatic rotation policy is configured, the next rotation time of the key will be displayed. Click OK.

8. You can change the rotation cycle or cancel the rotation policy using the same steps.

Create a Key Version (Asymmetric Keys)

1. Log in to the KMS console;

2. In the navigation bar at the top of the page, select the area where the key is located.

3. In the left navigation bar, click KMS to enter the key list.

4. Locate the asymmetric key and click the key ID to go to the Key Details page.

5. In the Key Version area, click Create Key Version;

6. Click OK in the pop-up dialog box.

7. In the key version list, view the key version ID and creation date. Click View Public Key. In the pop-up dialog box, you can copy or download the public key.

Key Management Service