How to Rotate AWS KMS Key

How to rotate AWS KMS key step by step guide

by

Data protection and security are at the core of any cloud-native enterprise application. One of the essential practices to ensure strong encryption is Key Rotation. In Amazon Web Services (AWS), this is managed through the AWS Key Management Service (KMS) — a fully managed service that makes it easy to create, control, and rotate cryptographic keys.

In this comprehensive guide, you’ll learn everything you need to know about how to rotate AWS KMS Key, why it’s important, and how to configure it step by step — whether you’re using the AWS Console, AWS CLI. This guide is updated for 2025 and covers both automatic and manual key rotation strategies.

Table of Contents

What Is AWS KMS?

AWS Key Management Service (KMS) is a fully managed service designed to help you create and manage encryption keys. It integrates tightly with over 100 AWS services such as S3, EBS, RDS, Lambda, and CloudTrail to provide data encryption at rest.

KMS supports:

  • Customer-managed keys (CMKs)
  • AWS-managed keys
  • Imported keys
  • Custom key stores using AWS CloudHSM

What Is Key Rotation?

Key Rotation is the process of replacing an existing cryptographic key with a new one at regular intervals. This ensures that even if a key is compromised, the damage is limited in time and scope.

Why Is Key Rotation Important?

Key rotation is a core best practice in cloud security and cryptographic management. Whether you’re securing sensitive data at rest or in transit, rotating your encryption keys regularly is like changing the locks on your digital doors — it ensures that access remains restricted to authorized entities only, even if old credentials are somehow exposed.

Let’s break down the main reasons why key rotation matters:

1. Enhanced Security

Over time, cryptographic keys can become vulnerable — especially if they’re overused or exposed. Here’s how rotation helps:

  • Shortens the exposure window: If a key is ever compromised (intentionally or by accident), rotating it minimizes the duration for which an attacker can misuse it.
  • Mitigates insider threats: Employees or third-party services with past access to older keys won’t be able to access new encrypted data once a rotation happens.
  • Thwarts brute-force attacks: Over time, attackers can collect enough encrypted data to attempt decryption. Regular key rotation cuts off this accumulation.

Real-world analogy: Think of key rotation like changing your ATM PIN every few months. Even if someone saw it once, they can’t use it indefinitely.

2. Regulatory Compliance

Data privacy laws and security frameworks are strict about how long encryption keys can be used. Failure to rotate keys periodically can lead to non-compliance, which may result in:

  • Hefty fines
  • Audits and penalties
  • Data breach liabilities

Here are a few regulations that require or recommend key rotation:

  • GDPR (EU) – Encourages state-of-the-art encryption practices.
  • HIPAA (U.S. Healthcare) – Mandates safeguarding PHI (Protected Health Information).
  • PCI-DSS (Payment Systems) – Requires regular key management and rotation.
  • FedRAMP / FISMA – Require secure lifecycle management for cryptographic keys.

Bottom line: If your business handles sensitive data, rotating encryption keys helps you stay on the right side of the law.

3. Auditability & Traceability

Key rotation improves your ability to monitor and track how keys are used:

  • Audit logs: Every rotation event is logged, making it easier to demonstrate due diligence during compliance checks or forensic investigations.
  • Historical access tracking: You can analyze which users or services accessed data with specific keys at certain times.
  • Separation of duties: With rotating keys and updated IAM policies, it becomes clearer who has access to what and when.

In practice: AWS KMS integrates with CloudTrail to log all key usage, including rotation events. This gives you full visibility for governance and auditing.

4. Operational Hygiene

Letting encryption keys sit unused or unchanged for years creates a security debt — a hidden risk that grows over time. Here’s how key rotation improves operations:

  • Reduces long-term exposure: Older keys may be forgotten but still active, increasing the attack surface.
  • Encourages proactive management: Teams who rotate keys regularly are more likely to keep their IAM roles, policies, and access controls up-to-date.
  • Supports key lifecycle policies: Key rotation fits into a larger key management lifecycle that includes creation, usage, revocation, deletion, and archival.

Think of it like spring cleaning for your data security environment — removing stale access paths and keeping things lean.

Types of AWS KMS Keys

  • AWS Managed Keys (aws/*): Created and managed by AWS. You cannot rotate these keys.
  • Customer Managed Keys (CMKs): Created and controlled by you. You can enable automatic key rotation.
  • Imported Keys: You supply the key material. Rotation must be managed manually.
  • Custom Key Store Keys: Backed by CloudHSM, offering more control and compliance.

AWS KMS Key Rotation Options

Rotation TypeDescriptionSuitable For
AutomaticAWS rotates the key every 1 yearSimpler use-cases with CMKs
ManualYou create and switch to new keysAdvanced use-cases, imported keys

Step-by-Step Guide: Enable Automatic Key Rotation (AWS Console)

Step-by-Step Instructions:

  1. Log in to AWS Console:
  2. Select Your Region:
    • In the top-right corner, choose the AWS Region where your key is located.
  3. Go to Customer Managed Keys:
    • From the left-hand navigation pane, click on “Customer managed keys.”
      (Note: AWS automatically rotates AWS-managed keys, so you can’t change their rotation settings.)
  4. Choose Your Key:
    • Click on the alias or Key ID of the symmetric KMS key you want to rotate.
  5. Open the Key Rotation Tab:
    • Select the “Key rotation” tab.
      (This tab only appears for symmetric keys created and managed by AWS – not for asymmetric keys, imported keys, HMAC keys, or keys in custom key stores.)
  6. Click Edit in the Rotation Section:
    • Under “Automatic key rotation,” click “Edit.”
  7. Enable Automatic Rotation:
    • Check the box for “Enable” to turn on key rotation.
    ⚠️ Note: If the key is currently disabled or pending deletion, you won’t be able to turn on rotation. You’ll first need to enable it or cancel the deletion.
  8. (Optional) Set a Custom Rotation Period:
    • By default, AWS will rotate the key every 365 days (1 year).
    • If needed, you can change this to any number of days between 90 and 2560.
  9. Save Your Changes:
    • Click “Save” to apply automatic rotation to the selected key.

Additional Notes:

  • This feature only works with symmetric KMS keys created by AWS (origin: AWS_KMS).
  • Asymmetric and imported keys must be rotated manually.
  • Always review your key policies before applying rotation.

Behind the scenes:

AWS retains all key versions. When a new key version is generated, AWS continues to decrypt old data using the earlier versions.

Enable Key Rotation via AWS CLI

aws kms enable-key-rotation --key-id <your-key-id>

To check if key rotation is enabled:

aws kms get-key-rotation-status --key-id <your-key-id>

How to Rotate AWS KMS Key Manually?

Manual key rotation means creating a new KMS key to replace an existing one and updating your applications to use the new key. AWS treats it as a way to rotate keys when:

  • You use asymmetric or HMAC keys
  • Your KMS keys are in custom key stores
  • You’re dealing with multi-Region keys with imported key material
  • Or simply want full control over your rotation process

💡 Important: Always keep the original KMS key enabled to decrypt existing data.

Pre-requisites

Before you start:

  • Ensure you have AWS CLI installed and configured.
  • You must have the necessary IAM permissions (kms:ListAliases, kms:UpdateAlias, etc.).
  • Have the alias in place for your existing KMS key (e.g., alias/TestKey).

Step-by-Step Guide to Manually Rotate AWS KMS Key

Step 1: Identify the Existing KMS Key and Alias

Use this command to list the current key associated with your alias:

aws kms list-aliases --query 'Aliases[?AliasName==`alias/TestKey`]'

Example Output:

{
    "Aliases": [
        {
            "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/TestKey",
            "AliasName": "alias/TestKey",
            "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
            "CreationDate": 1521097200.123,
            "LastUpdatedDate": 1521097200.123
        },
    ]
}

This tells you which key is currently used under the alias alias/TestKey.

Step 2: Create a New KMS Key

Create a new symmetric KMS key:

aws kms create-key --description "Rotated key for alias/TestKey"

You’ll receive output with the new KeyId, something like:

{
  "KeyMetadata": {
    "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
    ...
  }
}

Step 3: Update the Alias to Point to the New Key

Now let’s update the alias to use the new key:

$ aws kms update-alias --alias-name alias/TestKey --target-key-id 0987dcba-09fe-87dc-65ba-ab0987654321

This won’t return any output, so verify with:

$ aws kms list-aliases --query 'Aliases[?AliasName==`alias/TestKey`]'
{
    "Aliases": [
        {
            "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/TestKey",
            "AliasName": "alias/TestKey",
            "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
            "CreationDate": 1521097200.123,
            "LastUpdatedDate": 1604958290.722
        },
    ]
}

Check that the TargetKeyId now reflects the new key ID.

Step 4: Update Your Application (If Needed)

If your application uses aliases (like alias/TestKey) for cryptographic operations (Encrypt, GenerateDataKey, etc.), it’ll automatically start using the new key—no code change needed.

However, if your app uses the direct Key ID or ARN, update those references manually in your app or configuration files.

Best Practice: Always use aliases in applications. It makes manual rotation smoother and safer.

Step 5: Test Your Application

Before deactivating the old key, ensure:

  • New encryption works with the new key.
  • Old data encrypted with the previous key can still be decrypted.

This step is critical. Don’t rush it.

Step 6: Keep the Old Key Enabled (Temporarily)

As a safety measure, keep the old KMS key enabled until you’re sure that all encrypted data has been migrated or re-encrypted using the new key.

If needed, you can disable or schedule deletion of the old key later.

Things to Keep in Mind

Aliases are not allowed in operations like DisableKey or ScheduleKeyDeletion.

For asymmetric or HMAC keys, always use the actual KeyId in Decrypt/Verify commands.

For Decrypt with symmetric keys, you can omit the KeyId—AWS KMS will figure out the right one.

When Should You Use Manual Rotation?

Manual key rotation is ideal when:

  • You require complete control over key lifecycle
  • Automatic rotation isn’t supported for your key type
  • You want multi-Region support with imported key material
  • You’re managing compliance or audit requirements for your environment

Real-World Example

Let’s say you have an app that encrypts user uploads using alias/TestKey. After following the above steps:

  • Your app automatically starts using the new key
  • Old files can still be decrypted since the original key is still active
  • You stay secure, compliant, and up-to-date

Manual rotation of AWS KMS keys may sound technical—but with a little planning and some AWS CLI commands, it’s actually quite straightforward. It gives you full control over your cryptographic lifecycle and helps meet high security standards.

Monitoring Key Usage and Rotation

Use AWS CloudTrail:

  • Monitor all key usage events
  • Ensure no unauthorized access

Use CloudWatch Metrics:

  • KMSKeyUsage
  • KMSRequestCount

AWS Config:

  • Use Config Rules to verify that keys have rotation enabled.

Common Issues and Troubleshooting

IssueSolution
Rotation not workingCheck if it’s a CMK. Automatic rotation works only on CMKs
Data not accessible after manual rotationEnsure all services are updated to use the new key
CLI shows error on key-idUse correct ARN format or alias name
Re-encryption is slowConsider parallelizing data transformation pipelines

AWS KMS Key Rotation Best Practices (2025)

When managing data encryption in AWS, ensuring the security and lifecycle of your encryption keys is critical. AWS Key Management Service (KMS) provides robust capabilities for managing encryption keys, including key rotation. Here are the most up-to-date best practices for 2025 to securely rotate your keys and maintain operational continuity.

1. Always Use Customer Master Keys (CMKs) for Custom Encryption Needs

While AWS-managed keys are convenient, they come with limited flexibility and control. For applications with specific compliance, access control, or audit requirements, Customer Managed Keys (CMKs) are essential. CMKs allow you to:

  • Define fine-grained access permissions using AWS IAM policies.
  • Enable automatic rotation policies.
  • Set up multi-region replication and usage.

By using CMKs, you retain full control over the key lifecycle, including rotation, deletion, tagging, and audit logging—crucial for maintaining compliance in enterprise environments.

2. Enable Automatic Key Rotation Where Possible

AWS KMS supports automatic key rotation for symmetric CMKs. Enabling this feature ensures that a new cryptographic key version is generated every 365 days without disrupting your services.

Why it’s important:

  • Enhances security without manual intervention.
  • Retains previous key versions for decryption of old data.
  • Helps you meet compliance standards such as PCI-DSS, ISO, and HIPAA.

To enable this in the AWS Console:

  • Go to KMS → Customer managed keys.
  • Select your CMK.
  • Under the Key rotation tab, check “Automatically rotate this CMK every year.”

Note: Automatic rotation is only available for symmetric CMKs, not asymmetric keys.

3. Regularly Audit Key Policies and Access Controls

Key misuse often stems from overly permissive IAM policies. Conduct periodic reviews of:

  • Key policies (who can administer and use the key).
  • Grants (temporary permissions assigned to services or users).
  • IAM roles and users that have access to sensitive keys.

Use AWS IAM Access Analyzer or tools like Prowler to scan for misconfigurations or unnecessary access.

Best practices include:

  • Grant access on the principle of least privilege.
  • Limit administrative access.
  • Use resource-based policies when sharing across accounts.

Please read our most valueable blog article about the Disaster Recovery in Cloud Computing.

4. Use Aliases to Simplify Key Rotation and Updates

Aliases are like friendly names for your KMS keys. Instead of referencing a long key ID, your application can point to an alias (e.g., alias/payment-key). When you rotate or replace the CMK, you can update the alias to point to the new key, without updating your code or services.

Benefits of using aliases:

  • Decouple application logic from key identifiers.
  • Simplify operational management during manual rotation.
  • Enable smoother CI/CD deployments.

Tip: Always create an alias as soon as you generate a new CMK for easier future updates.

5. Avoid Sharing Key Material Externally

Exporting key material compromises the purpose of a secure KMS. Avoid sharing or transferring KMS keys to third parties unless you’re explicitly managing External Key Stores (XKS) with specialized configurations.

Instead:

  • Use AWS CloudHSM if you require FIPS 140-2 Level 3 compliance with full key control.
  • Use AWS multi-account strategies and key grants to share securely across environments.

Maintaining the key material within the AWS KMS boundary ensures that AWS’s security guarantees remain intact.

6. Tag Your Keys for Better Traceability and Management

Tags help you categorize, filter, and audit keys across your AWS environment. Use tagging consistently to improve governance.

Common tagging patterns:

  • Environment: dev, test, prod
  • Application: billing, orders, authentication
  • Compliance: GDPR, HIPAA, PCI
  • Owner: devops-team, security-team

Tags make it easier to:

  • Manage costs via cost allocation reports.
  • Enforce policies using AWS Organizations SCPs.
  • Search and group keys using AWS CLI and SDKs.

7. Use Multi-Region Keys for Cross-Region Applications

With AWS KMS multi-region keys, you can replicate your CMKs securely across AWS regions to maintain high availability and data resilience.

Use cases include:

  • Cross-region S3 replication.
  • Disaster recovery and failover strategies.
  • Multi-region microservices architecture.

Advantages:

  • Ensures consistent key identifiers across regions.
  • Simplifies global encryption operations.
  • Automatically synchronizes key material and metadata.

You can create a multi-region key pair and then replicate it using the AWS KMS console or CLI.

Conclusion

AWS KMS Key Rotation is not just a technical configuration — it’s a critical security best practice. Whether you automate it or manage it manually, rotating keys regularly minimizes security risks and improves compliance posture.

By following this tutorial, you can set up both automatic and manual key rotation strategies confidently. And by leveraging Terraform, CloudTrail, and CloudWatch, you can ensure your encryption strategy is robust, observable, and secure.

FAQs

Q1. What is AWS KMS Key Rotation?

AWS KMS Key Rotation is the process of periodically changing the cryptographic keys used to protect your data. It enhances security by reducing the chances of key compromise over time.

Q2. What’s the difference between automatic and manual key rotation in AWS KMS?

* Automatic Rotation only works for AWS-managed customer master keys (CMKs) and rotates the key every 365 days.
* Manual Rotation is used when you manage your own customer-managed CMKs and want full control over when and how the key is rotated.

Q3. Will rotating a KMS key affect my encrypted data?

No. Encrypted data remains accessible because AWS KMS retains previous key versions. However, new encryptions will use the latest key, while old ones continue to be decrypted with their original versions.

Q4. How can I verify if a key has been successfully rotated?

You can check the key metadata in the AWS KMS console or run the CLI command:
aws kms describe-key –key-id <key-id>
Look for KeyRotationEnabled and the creation dates of key versions.

Q5. Does manual key rotation require updating the applications using the key?

Yes, if your application refers to specific key IDs, you must update them to use the new key ARN. However, if you use aliases, you can simply repoint the alias to the new key without modifying the application code.

Q6. Can I delete the old KMS key after rotation?

Not immediately. AWS enforces a minimum 7-day waiting period before deletion. Also, ensure all data encrypted with the old key has been re-encrypted with the new one or is no longer needed.

Q7. How often should I rotate customer-managed KMS keys?

Best practices suggest rotating keys every 6–12 months, depending on your security policy, compliance requirements, and application usage patterns.

Q8. Can I automate manual key rotation using scripts or Terraform?

Yes! You can use AWS CLI, Boto3 (Python SDK), or Terraform to automate key creation, alias swapping, and policy updates as part of a custom rotation workflow.

Q9. Is KMS key rotation a requirement for compliance (e.g., PCI-DSS, HIPAA)?

Yes. Many compliance standards recommend or require key rotation at defined intervals. AWS KMS key rotation helps you meet audit and compliance needs with better key lifecycle control.

Discover more from DevOpsHowTo.Com

Subscribe to get the latest posts sent to your email.

Leave a Reply

Discover more from DevOpsHowTo.Com

Subscribe now to keep reading and get access to the full archive.

Continue reading