# Rotating Encryption Keys and Renewing Certificates

Encryption key rotation and certificate renewal are **essential security practices** that help mitigate the risk of compromised keys or expired certificates. AWS provides **automated and manual** mechanisms to rotate encryption keys and renew SSL/TLS certificates.

This study guide covers:\
✔ **Key Rotation vs. Certificate Renewal**\
✔ **AWS Services for Key & Certificate Management**\
✔ **How to Rotate Encryption Keys**\
✔ **How to Renew SSL/TLS Certificates**\
✔ **Best Practices & Common Mistakes**\
✔ **SecureCart Use Case: Ensuring Continuous Data Security**

***

### **🔹 Understanding Key Rotation vs. Certificate Renewal**

| **Process**                 | **Purpose**                                             | **Frequency**                                                             |
| --------------------------- | ------------------------------------------------------- | ------------------------------------------------------------------------- |
| **Encryption Key Rotation** | Prevents prolonged key exposure and ensures compliance. | Recommended **annually** or as per security policies.                     |
| **Certificate Renewal**     | Ensures SSL/TLS encryption for secure communications.   | Required **before expiration** (every 1-3 years, or auto-renewed in ACM). |

**📌 Why Rotate Encryption Keys?**\
✔ Reduces the risk of **key compromise**.\
✔ Meets **compliance requirements** (PCI DSS, GDPR, HIPAA).\
✔ Ensures **data remains protected** over time.

**📌 Why Renew Certificates?**\
✔ Prevents **downtime due to expired SSL/TLS certificates**.\
✔ Maintains **secure encrypted connections** for web applications.

***

### **🔹 SecureCart Use Case: Protecting Payment Transactions**

SecureCart, an **e-commerce platform**, encrypts customer payment data stored in Amazon RDS and secures web traffic using SSL/TLS certificates.

**✅ SecureCart’s Security Needs:**\
✔ **Encrypt all sensitive customer data** using AWS KMS.\
✔ **Rotate encryption keys annually** to meet PCI DSS compliance.\
✔ **Ensure SSL/TLS certificates do not expire** to maintain secure HTTPS connections.\
✔ **Monitor and audit key usage** using AWS CloudTrail.

***

### **🔹 How to Rotate Encryption Keys in AWS**

AWS Key Management Service (KMS) **supports automatic and manual key rotation**.

#### **1️⃣ Automatic Key Rotation for AWS-Managed Keys**

✔ AWS KMS **automatically rotates AWS-managed keys** every **year**.\
✔ No additional configuration is required.

✅ **Steps to Enable Automatic Key Rotation:**

1. Navigate to **AWS KMS** → Select your **Customer Managed Key (CMK)**.
2. Under **Key Rotation**, check **Enable key rotation**.

🔹 **Why Use It?**\
✔ **Hands-free management** of key rotation.\
✔ **No impact on existing encrypted data**.

***

#### **2️⃣ Manual Key Rotation for Customer Managed Keys (CMKs)**

For customer-managed keys, AWS **does not automatically rotate keys**. Instead, you **must create a new key and update all dependent applications**.

✅ **Steps to Manually Rotate a KMS Key:**

1. **Create a New Key** in AWS KMS.
2. **Update IAM Policies & Applications** to use the new key.
3. **Re-encrypt Data** with the new key.
4. **Schedule Deletion** of the old key (after verifying all data is migrated).

🔹 **Why Use It?**\
✔ Ensures **full control over key lifecycle**.\
✔ Allows migration to **stronger encryption algorithms**.

***

### **🔹 How to Renew SSL/TLS Certificates in AWS**

AWS **Certificate Manager (ACM)** simplifies certificate renewal for applications using **CloudFront, ALB, or API Gateway**.

#### **1️⃣ Automatic Certificate Renewal in ACM**

✔ **ACM automatically renews certificates** before expiration.\
✔ Works only for **ACM-issued certificates** used with **CloudFront, ALB, or API Gateway**.

✅ **Steps to Enable Automatic Renewal:**

1. Navigate to **AWS Certificate Manager (ACM)**.
2. Select your **issued SSL/TLS certificate**.
3. Ensure it is attached to a **CloudFront distribution, ALB, or API Gateway**.

🔹 **Why Use It?**\
✔ Prevents **certificate expiration** without manual intervention.\
✔ Ensures **HTTPS remains active** for SecureCart’s checkout pages.

***

#### **2️⃣ Manual Certificate Renewal for Non-ACM Certificates**

For **third-party or private certificates**, you must **manually renew** and update your AWS resources.

✅ **Steps to Manually Renew a Certificate:**

1. **Request a new certificate** from your certificate authority (CA).
2. **Upload the new certificate** to ACM or IAM.
3. **Update CloudFront, ALB, or EC2 instances** to use the new certificate.
4. **Verify HTTPS connections** before removing the old certificate.

🔹 **Why Use It?**\
✔ Required if using **third-party SSL providers**.\
✔ Allows customization of **certificate authorities**.

***

### **🔹 AWS Services for Key & Certificate Management**

| **AWS Service**         | **Purpose**                                         |
| ----------------------- | --------------------------------------------------- |
| **AWS KMS**             | Manages encryption keys & enforces key rotation.    |
| **AWS ACM**             | Issues & renews SSL/TLS certificates automatically. |
| **AWS CloudTrail**      | Logs encryption key usage for security audits.      |
| **AWS Secrets Manager** | Stores and rotates sensitive credentials.           |

***

### **✅ Best Practices for Key Rotation & Certificate Renewal**

✔ **Enable automatic key rotation** for AWS-managed keys.\
✔ **Manually rotate customer-managed keys** annually.\
✔ **Monitor KMS key usage** using AWS CloudTrail.\
✔ **Set up ACM for automatic SSL/TLS certificate renewal**.\
✔ **Use AWS Secrets Manager** for automatic credential rotation.

***

### **⚠️ Common Mistakes & How to Avoid Them**

| **Mistake**                                      | **Impact**                       | **Solution**                           |
| ------------------------------------------------ | -------------------------------- | -------------------------------------- |
| **Not rotating encryption keys**                 | Increased risk of key compromise | Enable key rotation in AWS KMS.        |
| **Forgetting to renew SSL/TLS certificates**     | HTTPS downtime, loss of trust    | Use ACM for auto-renewal.              |
| **Deleting old keys before re-encrypting data**  | Permanent data loss              | Migrate data before deleting old keys. |
| **Not updating IAM policies after key rotation** | Application failures             | Update all references to new keys.     |

***

### **✅ Summary**

✔ **Use AWS KMS key rotation** to protect encrypted data.\
✔ **Enable automatic SSL/TLS renewal** in ACM to prevent downtime.\
✔ **Use AWS CloudTrail to audit encryption key usage.**\
✔ **Manually rotate customer-managed keys & update applications.**