Okay, after debugging vault I have realised that it’s how aws kms symmetric encryption works: it puts the original key id into the encrypted data payload automatically.
Which means - there is really no way to migrate to a new key id even if you know the key.
What’s the DR scenario for running aws kms unseal then?