Updates a key rotation policy.

Usage notes

When automatic key rotation is enabled, KMS automatically creates a key version after the preset rotation period arrives. In addition, KMS sets the new key version as the primary key version.

An automatic key rotation policy cannot be configured for the following keys:

  • Asymmetric key
  • Service-managed key
  • Bring your own key (BYOK) that is imported into KMS
  • Key that is not in the Enabled state

In this example, automatic key rotation is enabled for a CMK whose key ID is 1234abcd-12ab-34cd-56ef-12345678****. The automatic rotation period is 30 days.


OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes UpdateRotationPolicy

The operation that you want to perform. Set the value to UpdateRotationPolicy.

EnableAutomaticRotation Boolean Yes true

Specifies whether to enable automatic key rotation. Valid values:

  • true: enables automatic key rotation.
  • false: disables automatic key rotation.
KeyId String Yes 1234abcd-12ab-34cd-56ef-12345678****

The ID of the customer master key (CMK). The ID must be globally unique.

RotationInterval String No 30d

The period of automatic key rotation. Specify the value in the integer[unit] format. The following units are supported: d (day), h (hour), m (minute), and s (second). For example, you can use either 7d or 604800s to specify a seven-day period. The period can range from 7 days to 730 days.

Note If you set the EnableAutomaticRotation parameter to true, you must also specify this parameter. If you set the EnableAutomaticRotation parameter to false, you can leave this parameter unspecified.

Response parameters

Parameter Type Example Description
RequestId String efb1cbbd-a093-4278-bc03-639dd4fcc207

The ID of the request.


Sample requests

&<Common request parameters>

Sample success responses

XML format


JSON format

    "RequestId": "efb1cbbd-a093-4278-bc03-639dd4fcc207"

Error codes

For a list of error codes, visit the API Error Center.