Bijou Trouvaille
Reputation: 9454
Does AWS KMS key rotation automatically re-encrypt SecureString values stored in SSM parameter store?
I have a customer managed key encrypting secret parameters as SecureString in SSM Parameter store. I'm deciding whether I should allow AWS to automatically rotate those keys. It would be nice to not have to worry about re-encrypting the secrets manually.
This is how I set the parameters:
aws ssm put-parameter \
--region $region \
--name "$name" \
--value "$value" \
--type "SecureString" \
--key-id "$keyId" \
--overwrite;
Upvotes: 1
Views: 514
Answers (1)
Winson Tanputraman
Reputation: 3703
No, Parameter Store itself doesn't have automatic key rotation service. But, they do provide another service for this, i.e., Secrets Manager.
Quote from the docs.
Parameter Store doesn't provide automatic rotation services for stored secrets. Instead, Parameter Store enables you to store your secret in Secrets Manager, and then reference the secret as a Parameter Store parameter.
Upvotes: 3
Related Questions
- How exactly does encryption key rotation work?
- AWS KMS manual key rotation and old encrypted data
- How AWS RDS KMS encryption really works?
- AWS KMS Decrypt: How is the KMS Key configured?
- Change KMS encryption key on existing AWS resources
- Does secret manager rotation cache?
- How does Amazon SSE-S3 key rotation work?
- How AWS KMS determine which key to use when decrypt?
- How to do AWS S3 SSE KMS key rotation?
- Is key rotation mandatory in Cloud KMS?