The curious case of faster AWS KMS symmetric key rotation

Security Blog

This article discusses the new options for faster symmetric key rotation in AWS Key Management Service (AWS KMS), including configurable rotation periods (90 days to 7 years), on-demand rotation, improved visibility into rotation history, and a price cap for keys with more than two rotations.

Specifically, the article covers:

The historical reasons for cryptographic key rotation, such as limiting data exposure and preventing cryptanalytic attacks due to key wear-out
How AWS KMS mitigates the risks of key leakage and wear-out through its hardened key protection and key derivation functions
Why AWS KMS still offers key rotation capabilities to meet compliance requirements for various industries
The new flexible options for automatic and on-demand key rotation in AWS KMS, as well as improved visibility into rotation history
A price cap for keys with more than two rotations, reducing costs for customers with frequently rotated keys

Go to article

The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

Jun 6
2025

AWS KMS launches on-demand key rotation for imported keys

Apr 3
2026

How AWS KMS and AWS Encryption SDK overcome symmetric encryption bounds

Feb 6
2024

How to migrate asymmetric keys from CloudHSM to AWS KMS

Jun 17
2024

AWS KMS now supports Elliptic Curve Diffie-Hellman (ECDH) key agreement

The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.

The curious case of faster AWS KMS symmetric key rotation

Related articles