CodeWisdom

AWS KMS Key Rotation: What Actually Happens and What Doesn't

3 min readCloud Infrastructure

KMS automatic key rotation creates new key material but doesn't re-encrypt existing data. Understanding how key versions work — and what rotation actually protects against — prevents misconfigured key management in production.

awskmssecurityencryption

How KMS keys actually work: envelope encryption

KMS does not directly encrypt your application data. For large data (S3 objects, RDS storage, Secrets Manager values), it uses envelope encryption:

  1. KMS generates a data key — a symmetric key used to encrypt the actual data.
  2. KMS encrypts the data key using your KMS key (the CMK — customer master key).
  3. The encrypted data key is stored alongside the encrypted data.
  4. To decrypt: send the encrypted data key to KMS, get back the plaintext data key, use it to decrypt the data.
[Your data] → encrypted with data key → [Encrypted data]
[Data key]  → encrypted with KMS CMK  → [Encrypted data key, stored with data]

The KMS key itself never leaves AWS infrastructure. What leaves KMS is only the plaintext data key (over TLS, used in memory to encrypt/decrypt), never the CMK.

Key rotation and key versions

ConceptAWS Security

When you rotate a KMS key, AWS creates new key material (a new cryptographic key). The existing key material is retained as an older key version. Data encrypted under the old version can still be decrypted — KMS tracks which key version encrypted what.

Prerequisites

  • symmetric encryption
  • AWS IAM
  • envelope encryption

Key Points

  • Automatic rotation creates a new key version annually. Old versions are retained for decryption.
  • Rotation does NOT re-encrypt existing data. Data encrypted with the old version stays that way.
  • New encryption operations use the latest key version.
  • KMS tracks which key version was used to encrypt each data key — you do not need to manage this.

What rotation protects against

Key rotation limits the blast radius if key material is ever compromised. If an attacker obtained the old key material, they could decrypt data encrypted under that version — but only that version. Data encrypted after the rotation is protected by the new key material.

It does not protect against:

  • An attacker with access to your AWS account who can call kms:Decrypt directly — that is an IAM problem.
  • Data already encrypted under the old key version, if the old key material was compromised before rotation.

Rotation is a defense-in-depth measure, not a substitute for access control.

Automatic vs manual rotation

Automatic rotation (enable with one flag, rotates annually):

aws kms enable-key-rotation --key-id <key-id>

AWS generates new key material once per year. The old key material is retained to decrypt data encrypted under it. You do not manage key versions explicitly.

Manual rotation (create a new key, re-point references):

For customer-managed keys where you need to rotate more frequently, or when you want to change the key algorithm, you create a new KMS key and update all references (aliases, encryption configurations) to point to the new key. The old key must remain enabled until all data encrypted under it is re-encrypted or deleted.

# Create a new key
aws kms create-key --description "my-service-key-v2"

# Update the alias to point to the new key
aws kms update-alias --alias-name alias/my-service-key --target-key-id <new-key-id>

Services using the alias automatically switch to the new key for new encryption operations. Existing data remains encrypted under the old key until you re-encrypt it explicitly.

KMS with Secrets Manager

When you store a secret in Secrets Manager with KMS encryption:

  1. Secrets Manager calls kms:GenerateDataKey to get a data key.
  2. The secret value is encrypted with the data key.
  3. The encrypted data key is stored alongside the encrypted secret.

When you retrieve the secret:

  1. Secrets Manager sends the encrypted data key to KMS.
  2. KMS decrypts it (checking IAM permissions) and returns the plaintext data key.
  3. Secrets Manager decrypts the secret value and returns it to your code.

You need two IAM permissions to retrieve a secret with a customer-managed KMS key:

  • secretsmanager:GetSecretValue on the secret
  • kms:Decrypt on the KMS key

Using the default AWS-managed key (aws/secretsmanager) removes the explicit kms:Decrypt requirement — but you cannot control the rotation schedule or key policy on AWS-managed keys. Use customer-managed keys for anything requiring audit trails or fine-grained access control.

Key policy vs IAM policy: which takes precedence

KMS key access is controlled by both the key policy (resource-based policy on the key) and IAM policies on the calling principal. Both must allow the action.

The key policy must explicitly grant access to the AWS account root, or IAM policies in that account have no effect on the key. This is the inverse of most AWS resources where IAM policies work without a resource policy.

The common mistake: creating a key with a restrictive key policy that doesn't include "Principal": {"AWS": "arn:aws:iam::ACCOUNT_ID:root"}. IAM policies granting kms:Decrypt to your application role will be silently ignored.

{
  "Sid": "Enable IAM User Permissions",
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::123456789012:root"},
  "Action": "kms:*",
  "Resource": "*"
}

This statement in the key policy allows IAM policies to control access. Without it, only the key policy controls access.

You rotate a KMS key used to encrypt an S3 bucket. The next day, a Lambda function that reads from the bucket starts failing with access denied errors. The Lambda's IAM role has kms:Decrypt permissions. What is the most likely cause?

medium

The KMS key had automatic rotation enabled. The Lambda reads objects encrypted before and after the rotation.

  • AThe Lambda needs to be redeployed to pick up the new key version
    Incorrect.Lambda functions do not cache KMS key material. They call KMS at decrypt time and always use the key ARN or alias — not a specific key version. Redeployment is not relevant.
  • BThe key policy was overwritten during rotation and no longer grants the Lambda's IAM role access
    Correct!Automatic key rotation creates new key material but preserves the key policy. However, manual rotation — creating a new key — does not carry over the old key's policy. If the rotation was manual and the key policy on the new key doesn't include the Lambda's role, or if the Lambda's IAM policy references the old key ARN rather than an alias, access fails. Check whether the Lambda uses a key ARN (specific to a version) or a key alias (always points to current).
  • CKMS automatic rotation requires a 24-hour propagation period
    Incorrect.KMS rotation is immediate for new encryption operations. There is no propagation delay that would block decryption.
  • DThe old key version is no longer available for decryption after rotation
    Incorrect.KMS retains all previous key versions after rotation. Objects encrypted under the old key version can still be decrypted. KMS tracks which version encrypted each data key.

Hint:Think about the difference between automatic rotation (new key material, same key ID) and manual rotation (new key, new key ID), and what happens to key policies and ARN references in each case.