Home > Software engineering >  Does AWS KMS key rotation automatically re-encrypt SecureString values stored in SSM parameter store
Does AWS KMS key rotation automatically re-encrypt SecureString values stored in SSM parameter store

Time:11-05

I have a customer managed key encrypting secret parameters as SecureString in SSM Parameter store. I'm deciding whether I should allow AWS to automatically rotate those keys. It would be nice to not have to worry about re-encrypting the secrets manually.

This is how I set the parameters:

aws ssm put-parameter \
            --region $region \
            --name "$name" \
            --value "$value" \
            --type "SecureString" \
            --key-id "$keyId" \
            --overwrite;

CodePudding user response:

No, Parameter Store itself doesn't have automatic key rotation service. But, they do provide another service for this, i.e., Secrets Manager.

Quote from the docs.

Parameter Store doesn't provide automatic rotation services for stored secrets. Instead, Parameter Store enables you to store your secret in Secrets Manager, and then reference the secret as a Parameter Store parameter.

  • Related