AWS KMS Key Rotation: Best Practice to Enchance Security

As a DevOps engineer, ensuring data security is one of my top priorities. AWS Key Management Service (KMS) is what I use in protecting sensitive data through encryption. We must know that encryption security is only as strong as its key management strategy. So, lets understand KMS key rotation which is a best practice that enhances security by periodically replacing cryptographic keys to minimize the risk of compromise.

In this article, I’ll take you through the essential concepts of AWS KMS keys, where they come from, and the different approaches to key rotation. Also, I’ll explain how to securely rotate KMS keys used for data encryption in AWS services like S3, EBS, and DynamoDB. We’ll also discuss what to do if a key is compromised and how to re-encrypt data with a new key.

First lets understand what are AWS KMS Keys. So lets go through the different types of KMS keys available in AWS. They are:

1. AWS Owned Keys: These keys are fully managed by AWS for its services. Users do not have direct access to these keys, nor they can setup their rotation. These keys are shared across multiple AWS accounts but are only accessible to the AWS service that created them.
2. AWS Managed Keys: AWS automatically creates and manages these keys for AWS services like S3, EBS, and RDS when users enable encryption. AWS also handles rotation for these keys and users cannot manually rotate them or define their key policies.
3. Customer Managed Keys: CMKs are fully controlled by the user. These allow customer to custom key policies, manually rotate the keys, and even importing our own key material. CMKs offers the highest level of control and security, making it ideal for compliance sensitive workloads.

Now lets understand KMS key rotation. Key rotation ensures that sensitive data remains secure over time. Some ways of rotating KMS Key are:

1. Automatic Key Rotation: After enabling automatic key rotation for customer managed keys, AWS rotates the key every one year and retains older key versions to allow easy decryption of existing data. To enable automatic rotation:

aws kms enable-key-rotation --key-id <mykeyid>

To verify if rotation is enabled:

aws kms get-key-rotation-status --key-id <mykeyid>

2. Manual Key Rotation (Create a new key):

As KMS does not support automatic rotation for imported keys what we can do is to create a new CMK and update all encryption configurations to use it. Steps to do so are as follows:

1. Create a new key with the same alias.
2. Generate a new wrapping key and import token:

aws kms get-parameters-for-import --key-id <mykeyid> --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048

3. Encrypt the new key material and import it into KMS.
4. Update alias to point to the new key.
5. Re-encrypt existing data.

Now lets see what we can do when a KMS key is compromised. If a KMS key is compromised, the first reaction might be to rotate it immediately. However, simply rotating the key won’t protect already encrypted data. The correct approach is:

1. Create a New Key and Update the Alias

We create a new CMK and update the alias so that new encryptions use the new key.

aws kms create-key --description "New key for compromised key replacement"

aws kms update-alias --alias-name alias/my-key --target-key-id <mynewkeyid>

2. Re-Encrypt Data Keys

If data was encrypted using data keys generated from the compromised KMS key, we must re-encrypt those data keys.

aws kms re-encrypt --ciphertext-blob <compromised-data-key> --destination-key-id alias/my-key

3. Disable the Compromised Key

Once all data keys have been re-encrypted, we disable the compromised key to prevent further usage.

aws kms disable-key --key-id <compromised-key-id>

4. Verify That Decryption with the Old Key Fails

To confirm that the old key is no longer usable:

aws kms decrypt --ciphertext-blob <old-encrypted-data>

If successful, disable and delete the key.

Rotating a KMS Key for AWS Services

A. Rotating a KMS Key for S3

S3 allows server-side encryption with KMS keys (SSE-KMS). When rotating a key for an S3 bucket:

1. Change the default bucket KMS key:

aws s3api put-bucket-encryption --bucket my-bucket \

--server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms","KMSMasterKeyID": ""}}]}'

2. Re-encrypt objects by copying them:

aws s3 cp --recursive s3://my-bucket s3://my-bucket

3. Disable the old KMS key:

aws kms disable-key --key-id <old-key-id>

B. Rotating a KMS Key for EBS Volumes

EBS volumes cannot be re-encrypted directly. The only way to rotate a KMS key is to create a new snapshot and a new volume.

1. Create a snapshot of the existing volume:

aws ec2 create-snapshot --volume-id <volume-id>

2. Create a new volume from the snapshot using the new KMS key:

aws ec2 create-volume –availability-zone us-east-1a –encrypted –kms-key-id <new-key-id> –snapshot-id <snapshot-id> –volume-type gp3

3. Detach the old volume, attach the new one, and disable the old key.

C. Rotating a KMS Key for DynamoDB

For DynamoDB, AWS handles automatic re-encryption when changing the KMS key.

1. Change the KMS key for the table:

aws dynamodb update-table --table-name my-table --sse-specification Enabled=true,SSEType=KMS,KMSMasterKeyId=<new-key-id>

2. AWS automatically re-encrypts the data in the background.

Therefore, key rotation is essential for maintaining security in AWS KMS. Whether we enable automatic rotation, manually create a new key, or import new key material, the goal remains the same: protect sensitive data while ensuring minimal disruption.

When a key is compromised, the correct strategy is to re-encrypt data keys rather than simply rotating the alias. For services like S3, EBS, and DynamoDB, key rotation must be handled differently based on their encryption behavior.

By following these best practices, we can ensure that our encryption remains strong, our data stays secure, and our AWS environment follows compliance and security best practices.