This message was deleted.

AWS KMS manages key rotation entirely transparently to you as a user. KMS' rotation also only impact new Encrypt requests, old key material remains available to decrypt older data. More on this in the link you shared and in https://aws.amazon.com/kms/faqs/. At the Pulumi layer, we simply invoke

Decrypt

and

Encrypt

from the KMS API using your IAM credentials and the KMS KeyID you provide, which is consistent across rotation. So the rotation KMS does is invisible. However, there is a separate question about whether you want to reencrypt (using rotated keys, or a new key) the secrets in your Pulumi stack. This can be accomplished with

pulumi stack change-secrets-provider

(https://www.pulumi.com/docs/cli/commands/pulumi_stack_change-secrets-provider/). You can pass that the same KMS key as is already being used to have it generate a new data key and re-encrypt the data key using the KMS Encrypt API, as well as all secrets in the stack with that new data key. This part is not automatic, and you have control over when you do this, and whether you use the same KMS key (with a rotated internal key material) or a new key entirely. The same users who have IAM access to Decrypt data with this key will be able to read the secrets from the stack.

Hey @white-balloon-205, thanks for the response! Yeah, that makes perfect sense, exactly what I was looking for.