AWS kms documentation change
Summary
Expanded guidance on manual key rotation scenarios and updated supported operations for key aliases
Security assessment
Added references to on-demand rotation and multi-Region keys with imported material, plus expanded list of cryptographic operations where aliases are valid. These updates improve documentation about secure key management practices but do not address a specific security flaw.
Diff
diff --git a/kms/latest/developerguide/rotate-keys-manually.md b/kms/latest/developerguide/rotate-keys-manually.md index ad36726fe..5ec0ec512 100644 --- a//kms/latest/developerguide/rotate-keys-manually.md +++ b//kms/latest/developerguide/rotate-keys-manually.md @@ -7 +7 @@ -You might want to create a new KMS key and use it in place of a current KMS key instead of enabling automatic key rotation. When the new KMS key has different cryptographic material than the current KMS key, using the new KMS key has the same effect as changing the key material in an existing KMS key. The process of replacing one KMS key with another is known as _manual key rotation_. +You might want to create a new KMS key and use it in place of a current KMS key instead of using automatic or on-demand key rotation. When the new KMS key has different cryptographic material than the current KMS key, using the new KMS key has the same effect as changing the key material in an existing KMS key. The process of replacing one KMS key with another is known as _manual key rotation_. @@ -11 +11 @@ You might want to create a new KMS key and use it in place of a current KMS key -Manual rotation is a good choice when you want to rotate KMS keys that are not eligible for automatic key rotation, such as asymmetric KMS keys, HMAC KMS keys, KMS keys in [custom key stores](./key-store-overview.html#custom-key-store-overview), and KMS keys with [imported key material](./importing-keys.html). +Manual rotation is a good choice when you want to rotate KMS keys that are not eligible for automatic or on-demand key rotation, such as asymmetric KMS keys, HMAC KMS keys, KMS keys in [custom key stores](./key-store-overview.html#custom-key-store-overview), and multi-Region KMS keys with [imported key material](./importing-keys.html). @@ -21 +21 @@ When you rotate KMS keys manually, you also need to update references to the KMS -Aliases that point to the latest version of a manually rotated KMS key are a good solution for the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html), [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html), [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html), [GenerateDataKeyPair](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html), [GenerateMac](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateMac.html), and [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) operations. Aliases are not permitted in operations that manage KMS keys, such as [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) or [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html). +Aliases that point to the latest version of a manually rotated KMS key are a good solution for [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html), [GetPublicKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html) and cryptographic operations like [DeriveSharedSecret](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html), [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html), [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html), [GenerateDataKeyPair](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html), [GenerateMac](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateMac.html), [VerifyMac](https://docs.aws.amazon.com/kms/latest/APIReference/API_VerifyMac.html), [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) and [Verify](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html). Aliases are not permitted in operations that manage KMS keys, such as [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) or [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html). @@ -65 +65 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Perform on-demand key rotation +List rotations and key materials