Key Rotation in the Cloud

Like it or not, your encryption key is often your key to the castle and must be properly protected. While in the past we kept these keys…
Photo by Jason D on Unsplash

Key Rotation in the Cloud

Like it or not, your encryption key is often your key to the castle and must be properly protected. While in the past we kept these keys behind firewalls, these days we often use the public cloud to store our keys.

And, so, one of the best practices for the usage of encryption keys is to implement key rotation. This is where a new key is used after a given amount of time. But, what happens when you have previously encrypted content? Well, for this we need our Cloud provider to manage your keys so that they store all the previously used keys.

In AWS we have KMS keys, and we can create a customer-managed key with a symmetric key using:

and then define the key alias and description:

After this, we define ownership of the keys. The created key has the schema format of:

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::103269750866:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::103269750866:user/fred"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::103269750866:user/fred"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::103269750866:user/fred"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}

To enable key rotation, we can then select the key, and enable it as an option:

This will mean that we will rotate the key every year.

% aws kms enable-key-rotation --key-id baca53c6-091e-4e7c-a3be-85303b05b023


% aws kms get-key-rotation-status --key-id baca53c6-091e-4e7c-a3be-85303b05b023
{
    "KeyRotationEnabled": true
}

All of the previous keys will be stored in AWS KMS and can be tracked with CloudWatch or CloudTrail. We can also list our keys with:

% aws kms list-aliases
{
    "Aliases": [
        {
            "AliasName": "alias/MyNewKey",
            "AliasArn": "arn:aws:kms:us-east-1:103269750866:alias/MyNewKey",
            "TargetKeyId": "baca53c6-091e-4e7c-a3be-85303b05b023",
            "CreationDate": 1669465874.278,
            "LastUpdatedDate": 1669465874.278
        },
  
    ]
}

The identity of the key does not change with key rotation.

Conclusions

In AWS KMS, it’s a single tic box to enable key rotation.