Managing key rotation

Key rotation is an essential best practice that prevents keys from being extensively reused.

Regular key rotation helps:

  • Limit the number of messages encrypted with the same key version.
  • Minimize the number of potentially vulnerable messages.
  • Ensure your system is resilient.

We recommend enabling automatic key rotation in your key management system. The frequency of your key rotation depends on how sensitive your data is, how many messages you need to encrypt, and whether you have to coordinate the rotation with external partners.

For symmetric encryption, use 30- to 90-day keys. For asymmetric encryption, the rotation frequency can be lower, but only if you can securely revoke keys.

Learn more in the documentation for your KMS: