cool-dress-96114
05/24/2023, 4:36 PMNote
In May 2022, AWS KMS changed the rotation schedule for AWS managed keys from every three years (approximately 1,095 days) to every year (approximately 365 days).
New AWS managed keys are automatically rotated one year after they are created, and approximately every year thereafter.
Existing AWS managed keys are automatically rotated one year after their most recent rotation, and every year thereafter.
Will this break our stacks / all of our secret configuration?white-balloon-205
05/29/2023, 8:39 PMDecrypt
and Encrypt
from the KMS API using your IAM credentials and the KMS KeyID you provide, which is consistent across rotation. So the rotation KMS does is invisible.
However, there is a separate question about whether you want to reencrypt (using rotated keys, or a new key) the secrets in your Pulumi stack. This can be accomplished with pulumi stack change-secrets-provider
(https://www.pulumi.com/docs/cli/commands/pulumi_stack_change-secrets-provider/). You can pass that the same KMS key as is already being used to have it generate a new data key and re-encrypt the data key using the KMS Encrypt API, as well as all secrets in the stack with that new data key. This part is not automatic, and you have control over when you do this, and whether you use the same KMS key (with a rotated internal key material) or a new key entirely. The same users who have IAM access to Decrypt data with this key will be able to read the secrets from the stack.cool-dress-96114
05/30/2023, 6:11 AM