Hi there question about

Question

Hi there question about How does Pulumi handle AWS managed key rotations once a year ```Note In May 2022 AWS KMS changed the rotation schedule for AWS managed keys from every three years approximately 1 095 days to every year approximately 365 days New AWS managed keys are automatically rotated one year after they are created and approximately every year thereafter Existing AWS managed keys are automatically rotated one year after their most recent rotation and every year thereafter ``` Will this break our stacks all of our secret configuration

white-balloon-205 · Answer

AWS KMS manages key rotation entirely transparently to you as a user KMS rotation also only impact new Encrypt requests old key material remains available to decrypt older data More on this in the link you shared and in At the Pulumi layer we simply invoke `Decrypt` and `Encrypt` from the KMS API using your IAM credentials and the KMS KeyID you provide which is consistent across rotation So the rotation KMS does is invisible However there is a separate question about whether you want to reencrypt using rotated keys or a new key the secrets in your Pulumi stack This can be accomplished with `pulumi stack change secrets provider` You can pass that the same KMS key as is already being used to have it generate a new data key and re encrypt the data key using the KMS Encrypt API as well as all secrets in the stack with that new data key This part is not automatic and you have control over when you do this and whether you use the same KMS key with a rotated internal key material or a new key entirely The same users who have IAM access to Decrypt data with this key will be able to read the secrets from the stack

cool-dress-96114 · Answer

Hey < white balloon 205> thanks for the response Yeah that makes perfect sense exactly what I was looking for