- AWS Managed Keys
- Rotated automatically by AWS every 1 year.
- Rotation is transparent; previous key versions remain available for decrypting older data.
- Customer Managed Keys
- Can enable automatic annual rotation.
- Supports manual rotation at any time by creating a new key and updating references (aliases, configurations).
- Imported Keys
- No automatic rotation.
- Rotation must be manual, typically by importing new key material and updating the alias or service configuration.