Key Rotation in KMS

KMS Key Use in RDS/Secrets Manager: The KMS key encrypts the RDS credentials before they are stored in Secrets Manager.
- Access Control: Access to the decrypted secret is controlled by AWS Identity and Access Management (IAM) policies. You need appropriate permissions both to access the secret in Secrets Manager and to use the associated KMS key for decryption.
- Transparency for the User: The decryption process is designed to be transparent to the user. When you request a secret, you don’t need to manually decrypt it—the service handles everything behind the scenes. This design simplifies the retrieval process while ensuring that the secret remains encrypted at rest.
Key Rotation: When a KMS key is rotated, it creates a new key version. Existing data remains encrypted with the old key version, and new encryption operations use the new key version. The rotation does not retroactively re-encrypt existing data, but both old and new key versions can be used for decryption as needed.