Managing keys

This page was generated from content adapted from the AWS Developer Guide

Creating keys

  • Note Symmetric KMS keys are now called symmetric encryption KMS keys. AWS KMS supports two kinds of symmetric KMS keys, symmetric encryption KMS keys (the default type) and HMAC KMS keys, which are also symmetric keys.

  • Note Be cautious when giving principals permission to manage tags and aliases. Changing a tag or alias can allow or deny permission to the customer managed key. For details, see ABAC for AWS KMS.

Enabling and disabling keys

Rotating keys

  • Note The rotation interval for AWS managed keys changed in May 2022. For details, see AWS managed keys.

  • Note When you begin using the new KMS key, be sure to keep the original KMS key enabled so that AWS KMS can decrypt data that the original KMS key encrypted.

  • Note Aliases that point to the latest version of a manually rotated KMS key are a good solution for the DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateMac, and Sign operations. Aliases are not permitted in operations that manage KMS keys, such as DisableKey or ScheduleKeyDeletion. When calling the Decrypt operation on manually rotated symmetric encryption KMS keys, omit the KeyId parameter from the command. AWS KMS automatically uses the KMS key that encrypted the ciphertext. The KeyId parameter is required when calling Decrypt or Verify with an asymmetric KMS key, or calling VerifyMac with an HMAC KMS key. These requests fail when the value of the KeyId parameter is an alias that no longer points to the KMS key that performed the cryptographic operation, such as when a key is manually rotated. To avoid this error, you must track and specify the correct KMS key for each operation.

Using CloudFormation templates

  • Important If you change the value of the KeyUsage, KeySpec, or MultiRegion property of an existing KMS key, the existing KMS key is scheduled for deletion and a new KMS key is created with the specified value. While scheduled for deletion, the existing KMS key becomes unusable. If you don't cancel the scheduled deletion of the existing KMS key outside of AWS CloudFormation, all data encrypted under the existing KMS key becomes unrecoverable when the KMS key is deleted.

Deleting keys

  • Note If you close or delete your AWS account, your KMS keys become inaccessible and you are no longer billed for them. You do not need to schedule deletion of your KMS keys separate from closing the account.

Key state reference

  • Note You might need to scroll horizontally or vertically to see all of the data in this table.

Last updated