A fundamental element of key infrastructure security is that of key rotation. Rotating keys reduces the risk of a security threat by reducing the shelf life of the key. The longer a single key is active, the more time a malicious user could try and breach that key. Therefore, rotating keys regularly is a security best practice when looking at any KMS system.

KMS offers two solutions to rotating your keys—an automatic method and a manual method. Key rotation takes place on the CMKs and not the DEKs. By allowing KMS to manage the rotation for you (automatically), KMS will ensure that your key is rotated every 365 days. This time frame can't be altered. But what is actually happening when your key is automatically rotated, and what does it mean?

When key rotation takes place, it's the backing key that changes; all other details remain the same with the key, such as the Amazon Resource Name (ARN) and the CMK-ID. The backing key is the actual component that is used in the cryptographic process when generating, encrypting, and decrypting the DEKs. So, during the rotation, a new backing is generated, but all existing and older keys are retained to allow data that was encrypted with older backing keys of the CMK to still perform encryption/decryption operations:

If you wanted to perform a manual key rotation, which would provide you with greater control over the frequency of rotation.

One point to bear in mind with the automatic key rotation of your CMKs is that should you have a key in a Disabled state, which will mean that the key will not be rotated. However, if the key is then re-enabled, AWS will assess the age of the last key rotation, and if that key was rotated more than 365 days ago, it will perform an immediate and automatic key rotation.