Rotating AWS KMS CMKs

  • Key rotation is a very important in key management and a security best practice. In AWS KMS there are different ways to rotate keys according to the way they were created.

Rotate the CMK key was created from AWS Key Material

Set up to automatically rotate Key Material every year

For CMKs created with AWS key material, AWS KMS also saves the CMK’s older cryptographic material, so it can be used to decrypt data that it encrypted. Automatic key rotation preserves the properties of the CMK: key ID, key ARN, region, policies, and permissions do not change when the key is rotated, so you don´t need to manually update the alias of the CMK to point to a newly generated CMK.

  1. Assign EnableKeyRotation permission for Rotating AWS KMS CMK
  • Go to AWS IAM Console.
  • Click Policies.
  • Type KMS-Workshop-ImportMaterialPermissions into the search bar, press Enter
  • Click KMS-Workshop-ImportMaterialPermissions Rotating CMK
  1. In the Summary page
  • Click Edit policy Rotating CMK
  1. In the Edit KMS-Workshop-ImportMaterialPermissions page
  • Click KMS
  • Click Actions
  • Type EnableKeyRotation into the search bar
  • Select EnableKeyRotation
  • Click Review policy Rotating CMK
  1. In the Review policy page
  • Click Save changes Rotating CMK
  1. Execute the below command to automatically Rotate AWS KMS CMK
aws kms enable-key-rotation --key-id <key ID of FirstCMK>

Rotating CMK

Another way to rotate the CMKs built with AWS key material is to generate a new key, then update the Alias for the CMK.
  1. Assign UpdateAlias permission to update the Alias for the CMK. Assign DeleteImportedKeyMaterial permission, DisableKey permission, EnableKey permission and ScheduleKeyDeletion permission to use in the next section.
  1. In the Create policy page
  • Click Service.
  • Type kms into the search bar.
  • Click KMS Rotating CMK
  1. In the Actions section
  • Assign UpdateAlias permission
    • Type UpdateAlias into the search bar
    • Select UpdateAlias Rotating CMK
  • Do the same for DeleteImportedKeyMaterial permission, DisableKey permission, EnableKey permission and ScheduleKeyDeletion permission
  1. In the Resources section
  • Click Resources
  • Select Specific
  • In the alias section, Select Any in this account
  • In the key section, Select Any in this account
  • Click Next:Tags Rotating CMK
  1. In the Add tags page
  • Click Next:Review Rotating CMK
  1. In the Review policy page
  • In the Name section, type KMSWorkshop-RotationDisableOps
  • Click Create Policy Rotating CMK
  1. Attach KMSWorkshop-RotationDisableOps policy to KMSWorkshop-InstanceInitRole role
  1. In the Permissions policies section
  • Click Add permissions.
  • Click Attach policies. Rotating CMK
  1. In the Other permissions policies section
  • Type KMSWorkshop-RotationDisableOps into the search bar, press Enter
  • Select KMSWorkshop-RotationDisableOps.
  • Click Attach policies. Rotating CMK
  1. Execute the below command to create the new CMK Key
aws kms create-key

Rotating CMK 11. Execute the below command to update the CMK Alias

aws kms update-alias --alias alias/FirstCMK --target-key-id <key ID of CMK we created in step 10>

Rotating CMK 12. To check we go to KMS Console

  • Click Customer managed keys Rotating CMK

Rotate the CMK was create by External Key Material

With the CMK was create by External Key Material, automatic rotation is not possible. You need to create a new CMK was create by External Key Material and update the CMK Alias

  1. Execute the below command để tạo External CMK mới
aws kms create-key --origin=EXTERNAL

Rotating CMK 2. Execute the command:

aws kms get-parameters-for-import --key-id <key ID of the External CMK we created in step 1>  --wrapping-algorithm RSAES_OAEP_SHA_1 --wrapping-key-spec RSA_2048

Rotating CMK 3. Copy PublicKey into pkey.b64 file.

  • Copy PublicKey.
  • Execute the command: vi pkey.b64. Rotating CMK
  • Press i to change Insert mode. Paste PublicKey we copied.
  • Press Esc.Type :wq.Press Enter to save and quit. Rotating CMK
  1. Do the same as PublicKey to copy ImportToken into token.b64 file.
  2. Use OpenSSL to decode to convert the b64 files into binary files are pkey.bin and token.bin
  • Execute the command: openssl enc -d -base64 -A -in pkey.b64 -out pkey.bin.
  • Execute the command: openssl enc -d -base64 -A -in token.b64 -out token.bin. Rotating CMK
  1. Execute the below command to generate a 256 bit symmetric key and stores into file genkey.bin. The key that the file contains is our key material for the CMK.
openssl rand -out genkey.bin 32

Rotating CMK

  1. Encrypt Key material and save into the file named WrappedKeyMaterial.bin.
  • Execute the command::
openssl rsautl -encrypt -in genkey.bin -oaep -inkey pkey.bin -keyform DER -pubin -out WrappedKeyMaterial.bin

Rotating CMK 8. Execute the command:

aws kms import-key-material --key-id <key ID of the External CMK we created in step 1> --encrypted-key-material fileb://WrappedKeyMaterial.bin --import-token fileb://token.bin --expiration-model KEY_MATERIAL_EXPIRES --valid-to 2022-06-02T12:00:00-08:00

Rotating CMK 9. Execute the below command to update the alias

aws kms update-alias --alias alias/ImportedCMK --target-key-id <key ID of the External CMK we created in step 1>

Rotating CMK 10. To check, we go to KMS Console

  • Click Customer managed keys Rotating CMK