AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2025-12-10 · Documentation low

File: kms/latest/developerguide/finding-keys.md

Summary

Removed 'Single-Region' qualifier from symmetric encryption key rotation capabilities

Security assessment

This is a documentation clarification to indicate symmetric encryption keys with external origin (not just Single-Region) support on-demand rotation. No security implications or vulnerability mitigations are evident in the change.

Diff

diff --git a/kms/latest/developerguide/finding-keys.md b/kms/latest/developerguide/finding-keys.md
index b1e18a963..a2cd4c19f 100644
--- a//kms/latest/developerguide/finding-keys.md
+++ b//kms/latest/developerguide/finding-keys.md
@@ -86 +86 @@ Where: General configuration section
-Symmetric encryption keys with `AWS_KMS` origin support both automatic and on-demand rotation. Single-Region, symmetric encryption keys with `EXTERNAL` origin support on-demand rotation. These keys can have multiple key materials associated with the key. The most recently rotated key material can be used for both encryption and decryption. This key material is identified as the current key material. Other key materials can only be used for decryption. Automatic or on-demand key rotation of a KMS key changes its current key material.
+Symmetric encryption keys with `AWS_KMS` origin support both automatic and on-demand rotation. Symmetric encryption keys with `EXTERNAL` origin support on-demand rotation. These keys can have multiple key materials associated with the key. The most recently rotated key material can be used for both encryption and decryption. This key material is identified as the current key material. Other key materials can only be used for decryption. Automatic or on-demand key rotation of a KMS key changes its current key material.
@@ -130 +130 @@ Where: Key material tab
-The date and time when the key material for the KMS key expires. This field appears only for KMS keys with [imported key material](./importing-keys.html), that is, when the **Origin** is **External** and the KMS key has key material that expires. Single-Region, symmetric encryption keys can have multiple key materials associated with them. For such keys, this field indicates the earliest date and time when one of the associated key materials expires. 
+The date and time when the key material for the KMS key expires. This field appears only for KMS keys with [imported key material](./importing-keys.html), that is, when the **Origin** is **External** and the KMS key has key material that expires. Symmetric encryption keys can have multiple key materials associated with them. For such keys, this field indicates the earliest date and time when one of the associated key materials expires.