[opticalfiber]

AWS KMS also enforces a waiting period of between 7 and 30 days before it will let you delete a key.

There’s also a feature you can enable that automatically rotates your key once a year. KMS is great!

[jacobsenscott]

Given the keys never leave the KMS hardware encryption module, are you at all concerned that all your data will be destroyed if you lose access to KMS for any reason? That's what has always given me pause when I consider KMS. Or do KMS users just take on faith that AWS will always be there?

Why do you like their auto-rotation? The keys that are rotated out are not never disabled, so I don't really understand the benefit. In what scenario would their auto-rotation improve security?