How to do AWS S3 SSE KMS key rotation?

Question

Scenario -
I created -
1. One S3 Bucket
2. Two KMS Keys
3. Enabled Default encryption on the S3 bucket, using KMS key #1
4. Uploaded a file in the bucket
5. Check the object details, it showed the Server-side encryption: AWS-KMS and the KMS key ID: ARN of KMS key #1
6. Changed the AWS S3 Default encryption and now chose KMS key #2
7. The old object still showed KMS key ID: ARN of KMS key #1

Questions -
1. Can the KMS key rotation be done before 1 year?
2. Is what I did the correct way to rotate an AWS KMS key? If not what's the correct way?
3. What happens to the older objects of the key gets deleted?

Answer 1

Automatic key rotation does not create a new CMK, it just rotates the HSM backing key. The old key is only used for decryption, whereas the new backing key is used for encrypting and decrypting new objects. On the other hand, manual key rotation requires you to create a new CMK and update the key alias to point to the new CMK. That means you have to maintain more than one CMK as long as you have objects encrypyted with the old one.

When KMS encrypts an object, the generated ciphertext contains the HSM backing key identifier in cleartext. That is how KMS retrieves the key to decrypt the encrypted messages. As a result, KMS can decrypt a message as long as the backing key stored in ciphertext is not deleted. A backing key is only deleted if you delete a CMK.

Coming back to your questions:

1. Yes, but you have to create a new CMK, as stated above.

2. You can just update the key alias to point to the new CMK instead. It becomes much easier to rotate a CMK, especially if it is used to encrypt multiple buckets.

3. You cannot decrypt the objects if you delete the CMK that is used to generate data keys. You should either re-encrypt all the objects using the new CMK or retain the old key.

Answer 2

Can the KMS key rotation be done before 1 year?

Yes but you will need to perform manual rotation. Automatic rotation is done once per year (if you enable this feature) and you cannot change the length of the interval.

Is what I did the correct way to rotate an AWS KMS key? If not what's the correct way?

While this is possible, it is not the best way to rotate your key (but this is really arguable and it depends on your security policies).

CMK is not really a key. It is more like a logical container for backing keys which are then used to encrypt data keys that are used to encrypt data. What you might want to do is not to change the container (CMK) itself but rather the backing key stored "inside" of the CMK. This leads to the fact that you can still use the same CMK (you don't need to update any code or scripts) but the actual encryption key (the backing key in this case) will be different. AWS will store the old backing keys and it will allow you to seamlessly decrypt data because its stores pointers to which backing key was used for which data (data key really). But this assumes that all backing keys belong to the same CMK.

Also note that this has nothing to do with re-encryption. All the previously encrypted data stay encrypted with the same key it just that the new data is encrypted with the new backing key. If you need to re-encrypt your data, you will need to do it yourself.

What happens to the older objects of the key gets deleted?

When you do it the way described above, your old backing keys are not deleted so you don't need to worry about not being able to decrypt the data. The are still stored withing KMS and they are only used to decrypt the old (corresponding) data.

If you have two separate CMK and you delete one of them, all the data that is still encrypted using this CMK is forever lost (or at least forever encrypted which is kind of the same). Note that not even AWS will be able to help you in such situation. That is also the reason why there is mandatory delay between keys being scheduled for deletion and the actual deletion of the key.