Skip to main content


Showing posts from March, 2020

KMS key comparison cheat sheet

A source of confusion many times- skimmed information from various resources: Key Type Rotation Expiration AWS managed CMK (format  aws /service-name) Required, automatically rotated every three years (1095 days). No manual process. No AWS owned CMKs (Customer Managed Keys) Optional, if enabled, rotated every one year (365 days). The Key Rotation option only appears if  Origin  under Cryptographic configuration is  AWS_KMS No AWS owned CMKs (aka imported keys)/ BYOK Manual. No automatic rotation for asymmetric CMKs, CMKs with imported material or CMKs with custom key stores Yes References: faqs/ kms/latest/developerguide/ concepts.html kms/latest/developerguide/ rotate-keys.html