https://community.databricks.com/t5/data-engineering/cmk-for-managed-services-automatic-rotation/m-p/23896#M16578 <P>Hi @Constantino Schillebeeckx​&nbsp;, You can update/rotate CMK at a later time (on a running workspace). Please refer: <A href="https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html?_ga=2.214562071.1895504292.1667411694-643525343.1663499643#add-or-update-a-customer-managed-key-on-a-running-workspace" alt="https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html?_ga=2.214562071.1895504292.1667411694-643525343.1663499643#add-or-update-a-customer-managed-key-on-a-running-workspace" target="_blank">https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html?_ga=2.214562071.1895504292.1667411694-643525343.1663499643#add-or-update-a-customer-managed-key-on-a-running-workspace</A></P> Fri, 04 Nov 2022 07:17:18 GMT Debayan 2022-11-04T07:17:18Z https://community.databricks.com/t5/data-engineering/cmk-for-managed-services-automatic-rotation/m-p/23895#M16577 <P>The <A href="https://docs.databricks.com/security/keys/customer-managed-keys-storage-aws.html#:~:text=After%20you%20add%20a%20customer%2Dmanaged%20key%20for,compatible%20with%20Databricks%20customer%2Dmanaged%20keys%20for%20storage." alt="https://docs.databricks.com/security/keys/customer-managed-keys-storage-aws.html#:~:text=After%20you%20add%20a%20customer%2Dmanaged%20key%20for,compatible%20with%20Databricks%20customer%2Dmanaged%20keys%20for%20storage." target="_blank">docs</A> for the CMK for workspace storage states:</P><P><I>After you add a customer-managed key for storage, you cannot later rotate the key by setting a different key ARN for the workspace. However, AWS provides&nbsp;</I><A href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html" alt="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html" target="_blank"><I>automatic CMK master key rotation</I></A><I>, which rotates the underlying key without changing the key ARN&nbsp;</I><A href="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html" alt="https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html" target="_blank"><I>as described in AWS docs</I></A><I>. Automatic CMK master key rotation is compatible with Databricks customer-managed keys for storage.</I></P><P></P><P>However the <A href="https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html" alt="https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html" target="_blank">docs for managed services</A> does not make any mention automatic CMK master key rotation - does CMK for managed services support this AWS automation?</P> Thu, 03 Nov 2022 16:39:02 GMT https://community.databricks.com/t5/data-engineering/cmk-for-managed-services-automatic-rotation/m-p/23895#M16577 Constantino 2022-11-03T16:39:02Z https://community.databricks.com/t5/data-engineering/cmk-for-managed-services-automatic-rotation/m-p/23897#M16579 <P>yep, I'm aware of manual key rotation, but I'd like to explicitly avoid it because:</P><UL><LI><A href="https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html?_ga=2.214562071.1895504292.1667411694-643525343.1663499643#add-or-update-a-customer-managed-key-on-a-running-workspace:~:text=Terminate%20all%20running%20clusters%2C%20pools%2C%20and%20SQL%20warehouses." alt="https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html?_ga=2.214562071.1895504292.1667411694-643525343.1663499643#add-or-update-a-customer-managed-key-on-a-running-workspace:~:text=Terminate%20all%20running%20clusters%2C%20pools%2C%20and%20SQL%20warehouses." target="_blank">it requires we take down our clusters</A> (not feasible for our reporting clusters)</LI><LI>it means we have to add extra infra to our terraform to execute the rotation (feels needless if AWS can already rotate them automatically)</LI></UL> Fri, 04 Nov 2022 13:05:54 GMT https://community.databricks.com/t5/data-engineering/cmk-for-managed-services-automatic-rotation/m-p/23897#M16579 Constantino 2022-11-04T13:05:54Z https://community.databricks.com/t5/data-engineering/cmk-for-managed-services-automatic-rotation/m-p/23896#M16578 <P>Hi @Constantino Schillebeeckx​&nbsp;, You can update/rotate CMK at a later time (on a running workspace). Please refer: <A href="https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html?_ga=2.214562071.1895504292.1667411694-643525343.1663499643#add-or-update-a-customer-managed-key-on-a-running-workspace" alt="https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html?_ga=2.214562071.1895504292.1667411694-643525343.1663499643#add-or-update-a-customer-managed-key-on-a-running-workspace" target="_blank">https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html?_ga=2.214562071.1895504292.1667411694-643525343.1663499643#add-or-update-a-customer-managed-key-on-a-running-workspace</A></P> Fri, 04 Nov 2022 07:17:18 GMT https://community.databricks.com/t5/data-engineering/cmk-for-managed-services-automatic-rotation/m-p/23896#M16578 Debayan 2022-11-04T07:17:18Z