AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2025-12-10 · Documentation low

File: kms/latest/developerguide/import-keys-protect.md

Summary

Added 'PENDING_MULTI_REGION_IMPORT_AND_ROTATION' as exception state where key material expiration/deletion doesn't make key unusable

Security assessment

Documents new exception state for key material lifecycle management. While related to security operations, no evidence indicates this addresses a specific vulnerability. Enhances documentation about key availability during rotation workflows.

Diff

diff --git a/kms/latest/developerguide/import-keys-protect.md b/kms/latest/developerguide/import-keys-protect.md
index 86d3391cd..a757aabf4 100644
--- a//kms/latest/developerguide/import-keys-protect.md
+++ b//kms/latest/developerguide/import-keys-protect.md
@@ -32 +32 @@ You _must_ retain a copy of the imported key material outside of AWS in a system
-Single-Region, symmetric encryption keys can have multiple key materials associated with them. The entire KMS key becomes unusable as soon as you delete any one of those key materials or if any one of those key materials expires (unless the deleted or expiring key material is `PENDING_ROTATION`). You must reimport any expired or deleted key materials associated with such a key before the key becomes usable for cryptographic operations. 
+Symmetric encryption keys can have multiple key materials associated with them. The entire KMS key becomes unusable as soon as you delete any one of those key materials or if any one of those key materials expires (unless the deleted or expiring key material is `PENDING_ROTATION` or `PENDING_MULTI_REGION_IMPORT_AND_ROTATION`). You must reimport any expired or deleted key materials associated with such a key before the key becomes usable for cryptographic operations.