I’d be happy to walk you through the process of key rotation when using a supported cloud KMS. First, it may be helpful to review how keys are used within CSFLE. CSFLE stores encrypted data keys in the MongoDB key vault, which is a collection in your database. Those key vault data keys are encrypted using the cloud KMS’s CMK, through a process called envelope encryption, before being stored in the key vault. The CSFLE documentation page describes the key hierarchy and instructions on how to use the different supported cloud KMS’s with CSFLE in the “Encryption Components” section.
When you rotate a CMK in your cloud KMS, any new CSFLE data keys created will be envelope encrypted using the newly rotated CMK while any existing data keys will remain envelope encrypted using the previous CMK. The cloud KMSs have logic built in that identifies which version of a CMK was used for encryption and will choose the correct CMK for decryption. There are no changes needed on the client side when using the cloud KMS CMK rotate functionality. Please note that this assumes that you have not deleted the previous CMK. Deleting the previous CMK will make your existing data unrecoverable. Please refer to your chosen cloud KMS documentation for instructions in how to rotate a CMK.