- AWS managed keys - automatic every year
- Customer managed keys - automatic (must be enabled) & on demand
- Imported KMS Key - Only manual rotation using alias
The previous key is kept active, for decrypting old data
The previous key is kept active, for decrypting old data