Does the S3 EncryptionV2 client support keys with KMS key rotation enabled?

[cswilliams]

I assume the answer to this is "yes", but I wanted to doublecheck, is the EncryptionV2 client able to decrypt objects from more than a year ago that were encrypted against a KMS key that has since been rotated? Unfortunately, it seems like there's no way to really test this unless I wait a year for the key to rotate haha.

Thanks!

[mullermp]

I think so, according to this page: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

When you use a rotated KMS key to encrypt data, AWS KMS uses the current key material. When you use the rotated KMS key to decrypt ciphertext, AWS KMS uses the same version of the key material that was used to encrypt it. You cannot request a particular version of the key material.

You can test with a manually rotated key, too.

[cswilliams]

Ahh, thanks for that reference. When I was glancing at the API for KMS, I was surprised there was no API to pull old versions of an auto rotated key, so it sounds like there's nothing needed on the client side to automatically handle it.

Regarding your note about the manually rotated key, it looks like the key id changes when you perform a manual rotation, so that would be fairly straightforward with the given interface, you'd just pass in the key id of the old key. But with automatic key rotation, the key id does not change, so I don't see any easy way to test that flow.

At any rate, I'll mark this as answered then. I'll let you know in a year if it doesn't work lol.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.