'AWS KMS Documentation
Can you please help me understand the meaning of sentence from KMS documentation https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
automatic key rotation has no effect on the data that the KMS key protects.
It does not rotate the data keys that the KMS key generated
or re-encrypt any data protected by the KMS key,
**and it will not mitigate the effect of a compromised data key.**
what does
... it will not mitigate the effect of a compromised data key.
mean in this context.
I need to enable KMS Rotation in multiple repos and I want to be 100% sure
amazon-web-servicesSolution 1:[1]
Your CMK can create data keys, which you can use outside of AWS to manually encrypt and decrypt your data. The important thing about data keys is that they are symmetric. Which means same key is used for encryption and decryption of a secret.
If AWS rotation happens, it affects only key material stored in KMS. Any data keys generated before that, are not affected as they are for external use and are symmetric. The rotation only applies to the keys stored in KMS itself, not to data keys that you generated and used outside of AWS.
So if anyone has your data key, it can be used to decrypt your secretes, as rotation do not apply to these keys.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Marcin |