Reputation: 11
What happens to the CMK Key1 when rotated/expired/deleted and if we use CMK Alias for that CMK Key1: cross-account or even same account references?
What happens to the assets or objects that are encrypted with a "CMK Key1":
- when that key is rotated/expired/deleted and
- when we attach a "CMK ALIAS-xyz" on that "CMK Key1" (cross-account or even same account references)
Can the new "CMK Key2" which is also attached to the CMK Key1's Alias "CMK ALIAS-xyz" be used for re-encrypting the already existing data objects of the assets that were encrypted with the "CMK Key1", without any DOWNTIME/Code Changes?
When we rotate the Aliased keys, what happens to the direct references to the CMK in the code?
<PLEASE SHARE YOUR PRACTICAL EXPERIENCE - NOT JUST THEORETICAL DOCUMENTATION>
IMAGE - Pictorial representation of above questions
My Current observations:
SUPPORTING ALIASES/Points that say it is possible:
- Deleting an alias has no effect on the associated CMK.
- Cross-account use: Yes. To perform this operation with a CMK in a different AWS account, specify the key ARN or "alias ARN" in the value of the KeyId parameter. So, this means Alias comes with an ARN of its own, which is independent of the actual CMK.
- Principals who have permission to manage tags and aliases can also control access to a CMK. For details, see Using ABAC for AWS KMS.
- AWS KMS supports ABAC by allowing you to control access to your customer master keys (CMKs) based on the tags and aliases associated with the CMKs.
CONCERNs/Points that say it is not possible:
- These features do not allow you to identify a CMK by using an alias in the resource element of a policy statement. When an alias is the value of a resource element, the policy applies to the alias resource, not to any CMK that might be associated with it.
- We ran into a case with cross-account aliases not working, needing to use actual arn with that data asset of external clients. The only change our clients made was to whitelist arn's instead of aliases on their end, and they had the access.
Sources Referred To:
https://docs.aws.amazon.com/kms/latest/developerguide/alias-authorization.html
https://docs.aws.amazon.com/kms/latest/developerguide/alias-access.html
https://docs.amazonaws.cn/en_us/kms/latest/developerguide/abac.html
(Please ignore this if you wish) On a different note, if the CMK has imported key material, you cannot automate the Key Rotation: "You cannot automatically rotate asymmetric CMKs, CMKs with imported key material, or CMKs in custom key stores. However, you can rotate them manually." "When you begin using the new CMK, be sure to keep the original CMK enabled so that AWS KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the same CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, AWS KMS can decrypt any data that was encrypted by either CMK."
Upvotes: 1
Views: 225
Answers (0)
Related Questions
- How exactly does encryption key rotation work?
- AWS KMS: What's the difference between CMK and key material?
- Does AWS KMS key rotation automatically re-encrypt SecureString values stored in SSM parameter store?
- How often are AWS owned CMKs rotated?
- AWS CMK vs Data Key clarification question
- AWS KMS Decrypt: How is the KMS Key configured?
- Change KMS encryption key on existing AWS resources
- Kinesis CMK manual rotation - can I assign alias to stream and rotate key manually every month?
- How AWS KMS determine which key to use when decrypt?
- AWS Access Key Rotation