Will KMS automatically generate new key versions after a while if I don't do it manually? If I create a key and use it for encryption (and not specify rotation period or next rotation time), will the same key last forever without creating new versions?
I remember reading it will do it automatically somewhere in the documentation a few days ago and now I can't find that page.
There's no obligation to do rotation. If you don't specify a rotation schedule, your key won't change unless you manually rotate it.
If you do use rotation (either automatic or manual), old key versions will be available for decryption indefinitely unless you delete them.
The page you cannot locate may be Key rotation | Cloud KMS Documentation | Google Cloud Platform.
Related
AWS SecretManager Read and Write concurrency.
If I am writing new secret value to a secret and if at the same time read is performed,
does the read call waits for he write calls to complete?
Or read will retrieve some invalid or intermediate value of the keys stored inside the secret?
By default, the GetSecretValue API returns the version of the secret that has the AWSCURRENT stage. It also allows you to fetch older versions of a secret by specifying the VersionId. Versions are also immutable and if you call PutSecretValue you create a new version.
You won't get partial versions here - the label AWSCURRENT will only be switched to the new version once the update is complete. Everything else would result in a terrible user experience.
I've created users with API Keys in a cloudformation yaml file. We want to renew one API Key but an API Key is immutable so has to be deleted and regenerated. Deleting an API Key manually and then hoping that rerunning the cloudformation script is going to replace it with no other ill effects seems like risky business. What is the recommended way to do this (I'd prefer not to drop and recreate the entire stack for availability reasons and because I only want to renew one of our API keys, not all of them)?
The only strategy I can think of right now is
change the stack so that the name associated with the API Key in question is changed
deploy the stack (which should delete the old API Key and create the new one)
change the stack to revert the 1st change which should leave me with a changed API Key
with same name
deploy the stack
Clunky eh!
It is indeed a bit clunky, but manually deleting it, will not cause cloudformation to recreate the API key, since it has an internal state of the stack in which the key still exists.
You could simply change the resource name of the API key and update the stack, but this will only work if you can have duplicate names for API keys, which I doubt, but I could not find confirmation in the docs.
This leaves the only way to do it, in two steps (if you want to keep the same name). One to remove the old key, and a second update to create the new key. This can be achieved by simply commenting the corresponding lines in the first step and subsequently uncommenting them for the second step, or as you suggested, by changing the name of the API key and then changing it back.
I have created a "other type of secret". I have also added a lambda function as give in this template. Now when I try to rotate immediately its saying "Fail to rotate the secret "TEST_SECRET_ROTATING" A previous rotation isn't complete. That rotation will be reattempted." The rotation time is one day, even next day I see secrete is not updated. I simply added that lambda function. Do I need to define any parameter or any other lambda settings. I also see in documentation that If you enable automatic rotation, the first rotation will happen immediately when you store this secret. But I don`t see this rotation even first time. I also followed this question here. I was able to find version id of AWSPENDING stage, I delete this version ID> click on rotate secret immediately > I see "Secret successfully scheduled for rotation" > but secret us not changed yet, Is there any issue with lambda code now?
The answer given in other question is good but there were couple of changes I have to do, The code template didnt say that we need to create a VPC endpoint for secret manager "SECRETS_MANAGER_ENDPOINT", We need to give KMS key permission to lambda role, We need to add VPC in lambda function as told by John, I also had to comment "raise NotImplementedError" in both set_secret, test_secret and give pass.
I want to introduce key rotation to my system but for that reencryption is needed. It would be nice to do it reactively on some event, trigger etc., but I can't find anything like that at google documentation.
After a rotate event, I want to reencrypt data with the new key and destroy the old one.
Any ideas, how to achieve this goal?
As of right now, the best that you can do is write something that polls GetCryptoKey on regular intervals, checks to see if the primary version has changed, and then decrypts and reencrypts if it has.
We definitely understand the desire for eventing based on key lifecycle changes, and we've been thinking about the best way to accomplish that in the future. We don't have any plans to share yet, though.
When you rotate an encryption key (or when you enable scheduled rotation on a key), Cloud KMS does not automatically delete the old key version material. You can still decrypt data previously encrypted with the old key unless you manually disable/destroy that key version. You can read more about this in detail in the Cloud KMS Key rotation documentation.
While you may have business requirements, it's not a Cloud KMS requirement that you re-encrypt old data with the new key version material.
New data will be encrypted with the new key
Old data will be decrypted with the old key
At the time of this writing, Cloud KMS does not publish an event when a key is rotated. If you have a business requirement to re-encrypt all existing data with the new key, you could do one of the following:
Use Cloud Scheduler
Write a Cloud Function connected to Cloud Scheduler that invokes on a periodic basis. For example, if your keys rotate every 72 hours, you could schedule the cloud function to run every 24 hours. Happy to provide some sample code if that would help, but the OP didn't specifically ask for code.
Long-poll
Write a long-running function that polls the KMS API to check if the Primary crypto key has changed, and trigger your re-encryption when change is detected.
From my "Security Credentials", I can NOT create any more key pairs for my CloudFront setup.
I can only see my existing 2 key pairs and my deleted one. The "create" link is not present.
Do you have a reason for that?
How can I create key pairs without using this interface?
How can I bring back the feature to create key pair from that interface?
It's not possible to have more than two key pairs available for use at any one point in time, see Access Credential Rotation:
[...] you can have two credentials in an Active state at any point in time
so you can rotate them without impact to your application's
availability. The AWS Security Credentials page displays the current
state of each of the credentials you can rotate. The possible states:
Active—Can be used to secure requests to AWS.
Inactive—Can't be used, but can be moved back to the Active state.
Deleted—Can never be used again.
The first sentence is actually a bit misleading, insofar it applies to key pairs in the Inactive state as well, because these can be activated again.
As soon as you delete an inactive key, you will be able to create a new one.