# Rotating encryption keys and renewing certificates

Rotating encryption keys and renewing certificates are **essential security practices** that ensure **continuous protection** against compromised keys and expired certificates. AWS provides automated and manual mechanisms to **rotate keys, manage certificates, and maintain compliance** with security standards.

This study guide covers:\
✔ **Understanding Key Rotation vs. Certificate Renewal**\
✔ **AWS Services for Managing Keys & Certificates**\
✔ **How to Rotate Encryption Keys in AWS KMS**\
✔ **How to Renew SSL/TLS Certificates in ACM**\
✔ **Best Practices & Common Mistakes**\
✔ **SecureCart Use Case: Securing Customer Transactions**

***

### **🔹 Understanding Key Rotation vs. Certificate Renewal**

| **Process**                 | **Purpose**                                                                         | **Frequency**                                                            |
| --------------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------ |
| **Encryption Key Rotation** | Reduces risk of key compromise by replacing encryption keys periodically.           | Recommended **annually** or as per compliance policies.                  |
| **Certificate Renewal**     | Ensures secure encrypted communications by replacing expiring SSL/TLS certificates. | Required **before expiration** (every 1-3 years or auto-renewed in ACM). |

**📌 Why Rotate Encryption Keys?**\
✔ Prevents prolonged key exposure.\
✔ Ensures compliance with **PCI DSS, GDPR, HIPAA**.\
✔ Limits the impact of a compromised key.

**📌 Why Renew Certificates?**\
✔ Prevents service disruptions due to expired certificates.\
✔ Ensures uninterrupted **HTTPS encryption for applications**.

***

### **🔹 SecureCart Use Case: Securing Customer Transactions**

SecureCart, an **e-commerce platform**, **encrypts customer payment data** in **Amazon RDS** and secures **HTTPS traffic** using **SSL/TLS certificates**.

**✅ SecureCart’s Security Needs:**\
✔ **Encrypt payment and customer data** using AWS KMS.\
✔ **Rotate encryption keys annually** to maintain PCI DSS compliance.\
✔ **Renew SSL/TLS certificates before expiration** to prevent service downtime.\
✔ **Monitor key and certificate usage** with AWS CloudTrail.

***

### **🔹 How to Rotate Encryption Keys in AWS**

AWS Key Management Service (KMS) **supports automatic and manual key rotation**.

#### **1️⃣ Automatic Key Rotation for AWS-Managed Keys**

✔ **AWS KMS automatically rotates AWS-managed keys every year**.\
✔ No additional configuration required.

✅ **Steps to Enable Automatic Key Rotation:**

1. Navigate to **AWS KMS** → Select your **Customer Managed Key (CMK)**.
2. Under **Key Rotation**, check **Enable key rotation**.

🔹 **Why Use It?**\
✔ **Hands-free management** of key rotation.\
✔ **No impact on existing encrypted data**.

***

#### **2️⃣ Manual Key Rotation for Customer Managed Keys (CMKs)**

AWS does **not** automatically rotate customer-managed keys (CMKs). **You must create a new key and update all dependent applications.**

✅ **Steps to Manually Rotate a KMS Key:**

1. **Create a New Key** in AWS KMS.
2. **Update IAM Policies & Applications** to use the new key.
3. **Re-encrypt Data** with the new key.
4. **Schedule Deletion** of the old key (after verifying all data is migrated).

🔹 **Why Use It?**\
✔ Ensures **full control over key lifecycle**.\
✔ Allows migration to **stronger encryption algorithms**.

***

### **🔹 How to Renew SSL/TLS Certificates in AWS**

AWS **Certificate Manager (ACM)** simplifies certificate renewal for applications using **CloudFront, ALB, or API Gateway**.

#### **1️⃣ Automatic Certificate Renewal in ACM**

✔ **ACM automatically renews certificates** before expiration.\
✔ Works only for **ACM-issued certificates** used with **CloudFront, ALB, or API Gateway**.

✅ **Steps to Enable Automatic Renewal:**

1. Navigate to **AWS Certificate Manager (ACM)**.
2. Select your **issued SSL/TLS certificate**.
3. Ensure it is attached to a **CloudFront distribution, ALB, or API Gateway**.

🔹 **Why Use It?**\
✔ Prevents **certificate expiration** without manual intervention.\
✔ Ensures **HTTPS remains active** for SecureCart’s checkout pages.

***

#### **2️⃣ Manual Certificate Renewal for Non-ACM Certificates**

For **third-party or private certificates**, you must **manually renew** and update your AWS resources.

✅ **Steps to Manually Renew a Certificate:**

1. **Request a new certificate** from your certificate authority (CA).
2. **Upload the new certificate** to ACM or IAM.
3. **Update CloudFront, ALB, or EC2 instances** to use the new certificate.
4. **Verify HTTPS connections** before removing the old certificate.

🔹 **Why Use It?**\
✔ Required if using **third-party SSL providers**.\
✔ Allows customization of **certificate authorities**.

***

### **🔹 AWS Services for Key & Certificate Management**

| **AWS Service**         | **Purpose**                                         |
| ----------------------- | --------------------------------------------------- |
| **AWS KMS**             | Manages encryption keys & enforces key rotation.    |
| **AWS ACM**             | Issues & renews SSL/TLS certificates automatically. |
| **AWS CloudTrail**      | Logs encryption key usage for security audits.      |
| **AWS Secrets Manager** | Stores and rotates sensitive credentials.           |

***

### **✅ Best Practices for Key Rotation & Certificate Renewal**

✔ **Enable automatic key rotation** for AWS-managed keys.\
✔ **Manually rotate customer-managed keys** annually.\
✔ **Monitor KMS key usage** using AWS CloudTrail.\
✔ **Set up ACM for automatic SSL/TLS certificate renewal**.\
✔ **Use AWS Secrets Manager** for automatic credential rotation.

***

### **⚠️ Common Mistakes & How to Avoid Them**

| **Mistake**                                      | **Impact**                       | **Solution**                           |
| ------------------------------------------------ | -------------------------------- | -------------------------------------- |
| **Not rotating encryption keys**                 | Increased risk of key compromise | Enable key rotation in AWS KMS.        |
| **Forgetting to renew SSL/TLS certificates**     | HTTPS downtime, loss of trust    | Use ACM for auto-renewal.              |
| **Deleting old keys before re-encrypting data**  | Permanent data loss              | Migrate data before deleting old keys. |
| **Not updating IAM policies after key rotation** | Application failures             | Update all references to new keys.     |

***

### **✅ Summary**

✔ **Use AWS KMS key rotation** to protect encrypted data.\
✔ **Enable automatic SSL/TLS renewal** in ACM to prevent downtime.\
✔ **Use AWS CloudTrail to audit encryption key usage.**\
✔ **Manually rotate customer-managed keys & update applications.**