{"id":"8b712b0c-e206-4f28-8dd1-2a2c89e8d3f4","task":"Configure automatic key rotation in AWS KMS and Azure Key Vault and manage the rotation lifecycle","domain":"docs.aws.amazon.com","steps":["For AWS KMS symmetric keys, enable automatic key rotation via the console or EnableKeyRotation API; KMS rotates the key material annually (consult current docs for whether the rotation period is configurable) while keeping the same key ID and ARN","Understand that KMS retains all previous key material for decryption of older ciphertexts; rotation only affects new encryptions — existing ciphertexts do not need rewrapping immediately","For Azure Key Vault, configure a rotation policy on the key specifying rotation type (automatically rotate at a time before expiry or at a fixed interval), notification lead time, and expiry period","Enable Azure Key Vault near-expiry notifications via Event Grid to trigger automation that updates dependent services when a new key version is created","For asymmetric keys or keys in HSMs, automatic rotation may not be supported; implement a rotation workflow that generates a new key version, updates references in dependent systems, and schedules deactivation of the old version","Test rotation by verifying that data encrypted with the previous key version is still decryptable after rotation, and that new encryptions use the new key version"],"gotchas":["Automatic rotation in AWS KMS does not rotate customer-managed keys imported from external key material (BYOK); for imported key material, rotation requires manual re-import of new key material","Azure Key Vault key rotation creates a new key version but does not automatically update references in services that have cached the old key identifier URI; dependent services must be updated to use the latest-version URI or the versionless URI","Key rotation in isolation does not help if existing ciphertexts encrypted under old key versions are never rewrapped; define a rewrap timeline as part of your key rotation policy"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/8b712b0c-e206-4f28-8dd1-2a2c89e8d3f4"}