What can be done to implement the above policy?
Enable automatic key rotation annually for the CMK.
Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
Import new key material to the existing CMK and manually rotate the CMK.
Create a new CMK, import new key material to it, and point the key alias to the new CMK.
Explanations:
Automatic key rotation is not supported for imported key material in AWS KMS. The option is only applicable for AWS-managed keys, not CMKs with imported key materials.
While using AWS CLI and Lambda can facilitate automation, it does not inherently support the rotation of imported key materials. This option lacks the necessary mechanism for key rotation as per company policy.
Manually rotating the CMK by importing new key material does not fulfill the requirement of regular automatic rotation. It requires human intervention, which does not align with a seamless policy implementation.
Creating a new CMK and importing new key material allows for adherence to the rotation policy. This method enables the management of encryption keys while following the company’s policy for annual rotation effectively.
From what I’ve heard, the answer is:
Create a new CMK, import new key material to it, and point the key alias to the new CMK.