The company is using AWS KMS to encrypt AWS resources such as AWS S3, AWS EBS, AWS RDS, AWS DynamoDB.
Due to some policies, on regular basis, we need to re-encrypt the data using a newly created CMK.
AWS doesn't deliver any method to re-encrypt the data.
See more info here: [login to view URL]
Therefore, the project consists to write a detailed procedure how to re-encrypt files by using a new AWS CMK for the following technologies:
AWS Cloudwatch log
The procedure must contain:
1) the AWS CLI commands and the cloudformation templates to execute the key rotation by re-encryption the data with a new key (already generated and with a ARN available for use).
2) The AWS CLI command(s) and cloudformation templates to identity the resources using the old AWS key and build an inventory of the resources in question
The key rotation must occur without any data loss or corruption.
3) A small user manual how to use it and possible limitations if applicable
4) The proof that the re-encryption processes are working, documented in a document with few screenshot to show that works.