For AWS KMS symmetric keys, enable automatic key rotation via the console or EnableKeyRotation API; KMS rotates the key material annually (consult current docs for whether the rotation period is configurable) while keeping the same key ID and ARN
Understand that KMS retains all previous key material for decryption of older ciphertexts; rotation only affects new encryptions — existing ciphertexts do not need rewrapping immediately
For Azure Key Vault, configure a rotation policy on the key specifying rotation type (automatically rotate at a time before expiry or at a fixed interval), notification lead time, and expiry period
Enable Azure Key Vault near-expiry notifications via Event Grid to trigger automation that updates dependent services when a new key version is created
For asymmetric keys or keys in HSMs, automatic rotation may not be supported; implement a rotation workflow that generates a new key version, updates references in dependent systems, and schedules deactivation of the old version
Test rotation by verifying that data encrypted with the previous key version is still decryptable after rotation, and that new encryptions use the new key version
Known gotchas
Automatic rotation in AWS KMS does not rotate customer-managed keys imported from external key material (BYOK); for imported key material, rotation requires manual re-import of new key material
Azure Key Vault key rotation creates a new key version but does not automatically update references in services that have cached the old key identifier URI; dependent services must be updated to use the latest-version URI or the versionless URI
Key rotation in isolation does not help if existing ciphertexts encrypted under old key versions are never rewrapped; define a rewrap timeline as part of your key rotation policy
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp