hashicorp · austingebauer · Jun 29, 2021 · Jun 29, 2021 · Jun 29, 2021 · Jun 29, 2021
@@ -6,9 +6,6 @@ description: The AWS KMS API documentation for the Key Management secrets engine
 
 # AWS KMS (API)
 
-~> **Note:** This provider is currently a **_beta_** feature and not recommended
-for deployment in production.
-
 The Key Management secrets engine supports lifecycle management of keys in [AWS KMS](https://aws.amazon.com/kms/)
 regions. This is accomplished by configuring a KMS provider resource with the `awskms` provider and
 other provider-specific parameter values.

@@ -6,9 +6,6 @@ description: AWS KMS is a supported KMS provider of the Key Management secrets e
 
 # AWS KMS
 
-~> **Note:** This provider is currently a **_beta_** feature and not recommended
-for deployment in production.
-
 The Key Management secrets engine supports lifecycle management of keys in [AWS KMS](https://aws.amazon.com/kms/)
 regions. This is accomplished by configuring a KMS provider resource with the `awskms` provider and
 other provider-specific parameter values.
@@ -64,3 +61,12 @@ for a detailed description of individual configuration parameters.
 Keys are securely transferred from the secrets engine to AWS KMS regions in accordance
 with the AWS KMS [Bring Your Own Key](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html)
 specification.
+
+## Key Rotation
+
+Customer master keys (CMKs) with imported key material are not eligible for
+[automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html)
+within AWS KMS. As such, key rotations performed by the secrets engine use the
+[manual key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually)
+process. Applications should refer to the [alias](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html)
+associated with imported keys. Aliases will always have the form: `hashicorp/<key_name>-<unix_timestamp>`.