Good read: https://aws.amazon.com/blogs/aws/amazon-s3-update-three-new-security-access-control-features/
A source of confusion many times- skimmed information from various resources: Key Type Rotation Expiration AWS managed CMK (format aws /service-name) Required, automatically rotated every three years (1095 days). No manual process. No AWS owned CMKs (Customer Managed Keys) Optional, if enabled, rotated every one year (365 days). The Key Rotation option only appears if Origin under Cryptographic configuration is AWS_KMS No AWS owned CMKs (aka imported keys)/ BYOK Manual. No automatic rotation for asymmetric CMKs, CMKs with imported material or CMKs with custom key stores Yes References: https://aws.amazon.com/kms/ faqs/ https://docs.aws.amazon.com/ kms/latest/developerguide/ concepts.html https://docs.aws.amazon.com/ kms/latest/developerguide/ rotate-keys.html