In this blog we unravel the intricacies of AWS Key Management Service (KMS) rotations and their profound impact on the recovery points of AWS Backup. In today’s rapidly evolving threat landscape, maintaining robust security and compliance measures is paramount. We delve into the significance of regular KMS key rotations, shedding light on the crucial role they play in safeguarding sensitive data and meeting regulatory requirements.
Cryptographic best practices discourage extensive reuse of keys that encrypt data directly, such as the data keys that AWS KMS generates. When 256-bit data keys encrypt millions of messages they can become exhausted and begin to produce ciphertext with subtle patterns that clever actors can exploit to discover the bits in the key. To avoid this key exhaustion, it’s best to use data keys once, or just a few times, which effectively rotates the key material.
However, KMS keys are most often used as wrapping keys, also known as key-encryption keys. Instead of encrypting data, wrapping keys encrypt the data keys that encrypt your data. As such, they are used far less often than data keys, and are almost never reused enough to risk key exhaustion.
Despite this very low exhaustion risk, you might be required to rotate your KMS keys due to business or contract rules or government regulations. When you are compelled to rotate KMS keys, we recommend that you use automatic key rotation where it is supported, and manual key rotation when automatic key rotation is not supported.