All Products
Search
Document Center

Key Management Service:UpdateRotationPolicy

Last Updated:Jul 29, 2025

Updates a key rotation policy.

Operation description

When automatic key rotation is enabled, KMS automatically creates a key version after the preset rotation period arrives. In addition, KMS sets the new key version as the primary key version.

An automatic key rotation policy cannot be configured for the following keys:

  • Asymmetric key
  • Service-managed key
  • Bring your own key (BYOK) that is imported into KMS
  • Key that is not in the Enabled state

In this example, automatic key rotation is enabled for a CMK whose ID is 1234abcd-12ab-34cd-56ef-12345678****. The automatic rotation period is 30 days.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

ParameterTypeRequiredDescriptionExample
KeyIdstringYes

The ID of the customer master key (CMK). The ID must be globally unique.

1234abcd-12ab-34cd-56ef-12345678****
EnableAutomaticRotationbooleanYes

Specifies whether to enable automatic key rotation. Valid values:

  • true: enables automatic key rotation.
  • false: disables automatic key rotation.
true
RotationIntervalstringNo

The period of automatic key rotation. Specify the value in the integer[unit] format. The following units are supported: d (day), h (hour), m (minute), and s (second). For example, you can use either 7d or 604800s to specify a seven-day period. The period can range from 7 days to 730 days.

Note If you set the EnableAutomaticRotation parameter to true, you must also specify this parameter. If you set the EnableAutomaticRotation parameter to false, you can leave this parameter unspecified.
30d

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The ID of the request, which is used to locate and troubleshoot issues.

efb1cbbd-a093-4278-bc03-639dd4fcc207

Examples

Sample success responses

JSONformat

{
  "RequestId": "efb1cbbd-a093-4278-bc03-639dd4fcc207"
}

Error codes

HTTP status codeError codeError messageDescription
400InvalidParameterThe specified parameter is not valid.An invalid value is specified for the parameter.
404InvalidAccessKeyId.NotFoundThe Access Key ID provided does not exist in our records.-
404Forbidden.KeyNotFoundThe specified Key is not found.The error message returned because the specified CMK does not exist.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2023-12-20The Error code has changedView Change Details