AWS kms documentation change
Summary
Removed rotation capability statement for AWS-generated key material. Added guidance about storing key metadata and warnings about multi-key material dependencies.
Security assessment
The changes emphasize critical key management practices (storing ARN/material ID) and highlight risks of key material loss. While these are security best practices, there's no direct evidence of patching a security vulnerability. The removal of rotation statement appears to be documentation correction rather than security fix.
Diff
diff --git a/kms/latest/developerguide/import-keys-protect.md b/kms/latest/developerguide/import-keys-protect.md index 7ff4d66e3..86d3391cd 100644 --- a//kms/latest/developerguide/import-keys-protect.md +++ b//kms/latest/developerguide/import-keys-protect.md @@ -19 +19 @@ This difference in durability is meaningful in the following cases: -You cannot delete key material that AWS KMS generates for a KMS key and you cannot set AWS KMS key material to expire, although you can [rotate it](./rotate-keys.html). +You cannot delete key material that AWS KMS generates for a KMS key and you cannot set AWS KMS key material to expire. @@ -28 +28,5 @@ You cannot delete key material that AWS KMS generates for a KMS key and you cann -You _must_ retain a copy of the imported key material outside of AWS in a system that you control. We recommend that you store an exportable copy of the imported key material in a key management system, such as an HSM. If your imported key material is deleted or expires, its associated KMS key becomes unusable until you reimport the same key material. If your imported key material is permanently lost, any ciphertext encrypted under the KMS key is unrecoverable. +You _must_ retain a copy of the imported key material outside of AWS in a system that you control. We recommend that you store an exportable copy of the imported key material in a key management system, such as an HSM. As a best practice, you should store a reference to the KMS key ARN and the key material ID generated by AWS KMS alongside the exportable copy of the key material. If your imported key material is deleted or expires, its associated KMS key becomes unusable until you reimport the same key material. If your imported key material is permanently lost, any ciphertext encrypted under the KMS key is unrecoverable. + +###### Important + +Single-Region, symmetric encryption keys can have multiple key materials associated with them. The entire KMS key becomes unusable as soon as you delete any one of those key materials or if any one of those key materials expires (unless the deleted or expiring key material is `PENDING_ROTATION`). You must reimport any expired or deleted key materials associated with such a key before the key becomes usable for cryptographic operations.