In an effort to re-alias some of our KMS keys via AWS CDK, we have found that there are now S3 objects still referencing a old key that's in pending deletion...
What we've done:
- Give an existing bucket KMS key a new alias
- A new KMS key is created and appropriately associated to an S3 bucket
At this point, we see that the newly created KMS key has been added to an S3 bucket but when we drill down to the csv objects in the bucket, we noticed the objects still reference the old KMS keys. Those are now orphaned and are in pending deletion. We assumed that the "children object" (csv) would take on the new bucket keys.
We're really green in AWS and CDK altogether...have we made some incorrect assumptions? Thank you very much.
