Questions in the AWS KMS usage for encryption and decryption of password
Q1. AWS KMS Key Rotation along with Encrypt/Decrypt of data (specifically in case of Password History) ?
Q2. If CMK in KMS is corrupted/deleted and a new CMK is created in KMS due to any reason, will decryption be successful for existing encrypted data?
Release : Any
*** Q1. AWS KMS Key Rotation along with Encrypt/Decrypt of data (specifically in case of Password History) ?
Answer --> As long as the same CMK is rotated, older data can be decrypted as KMS preserves all previous key's material and hence there won't be any issue.
Reference -
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
*** Q2. If CMK in KMS is corrupted/deleted and a new CMK is created in KMS due to any reason, will decryption be successful for existing encrypted data?
Answer --> As of now AH will throw exception as decryption will not be successful at KMS and hence Pwd Update will fail for user