RotateKey - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).


The following example shows an Amazon CloudTrail log entry of the operation that rotates an Amazon KMS key. Amazon KMS calls this operation when it is time to rotate a KMS key on which automatic key rotation is enabled. When you enable automatic key rotation (EnableKeyRotation), Amazon KMS rotates the KMS key 365 days later and every 365 days thereafter.

CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the responseElements.keyId value, even though this operation does not return the key ARN.

For an example of the CloudTrail log entry that records the EnableKeyRotation operation, see EnableKeyRotation. For information about rotating KMS keys, see Rotating Amazon KMS keys.

{ "eventVersion": "1.05", "userIdentity": { "accountId": "111122223333", "invokedBy": "Amazon Internal" }, "eventTime": "2021-01-14T01:41:59Z", "eventSource": "", "eventName": "RotateKey", "awsRegion": "us-west-2", "sourceIPAddress": "Amazon Internal", "userAgent": "Amazon Internal", "requestParameters": null, "responseElements": { "keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "eventID": "a24b3967-ddad-417f-9b22-2332b918db06", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "serviceEventDetails": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" } }