cancel
Showing results for 
Search instead for 
Did you mean: 
Data Engineering
Join discussions on data engineering best practices, architectures, and optimization strategies within the Databricks Community. Exchange insights and solutions with fellow data engineers.
cancel
Showing results for 
Search instead for 
Did you mean: 

CMK for managed services automatic rotation

Constantino
New Contributor III

The docs for the CMK for workspace storage states:

After you add a customer-managed key for storage, you cannot later rotate the key by setting a different key ARN for the workspace. However, AWS provides automatic CMK master key rotation, which rotates the underlying key without changing the key ARN as described in AWS docs. Automatic CMK master key rotation is compatible with Databricks customer-managed keys for storage.

However the docs for managed services does not make any mention automatic CMK master key rotation - does CMK for managed services support this AWS automation?

2 REPLIES 2

Debayan
Esteemed Contributor III
Esteemed Contributor III

Hi @Constantino Schillebeeckx​ , You can update/rotate CMK at a later time (on a running workspace). Please refer: https://docs.databricks.com/security/keys/customer-managed-keys-managed-services-aws.html?_ga=2.2145...

Constantino
New Contributor III

yep, I'm aware of manual key rotation, but I'd like to explicitly avoid it because:

  • it requires we take down our clusters (not feasible for our reporting clusters)
  • it means we have to add extra infra to our terraform to execute the rotation (feels needless if AWS can already rotate them automatically)
Join 100K+ Data Experts: Register Now & Grow with Us!

Excited to expand your horizons with us? Click here to Register and begin your journey to success!

Already a member? Login and join your local regional user group! If there isn’t one near you, fill out this form and we’ll create one for you to join!