Should we rotate KMS keys and if so how?
AWS-managed keys rotate automatically every year. For customer-managed keys, enable automatic rotation, one checkbox. Manual key rotation with re-encrypt is rarely needed.
Try this first
- 1For symmetric customer-managed keys: enable Automatic Key Rotation. AWS creates new key material yearly, old data remains readable via key versions.
- 2Asymmetric keys don't rotate automatically. Create a new key, use both aliases, and migrate software gradually.
- 3Audit with CloudTrail which key encrypts what. A KMS key with no usage can usually be scheduled for deletion (7-30 day wait).
- 4On Azure this is Key Vault key rotation policy, on GCP Cloud KMS rotation period. Same pattern.
- 5Document which key encrypts which data and who is key admin. At an audit, that's the first question.
When to bring us in
If you work with PCI data or patient records and rotation frequency is contractually set, a short review with your security officer is worth it.
See also
- Everyone logs in with the AWS root accountRoot is for emergencies and billing. Day-to-day work belongs in IAM users or SSO.
- Every developer has AdministratorAccessAdministratorAccess everywhere is convenient now, painful later. Start with role-based policies.
- Everyone has individual IAM users with their own passwordIdentity Center (formerly AWS SSO) links to your IdP and issues temporary credentials per session.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.