A company uses an AWS Key Management Service (AWS KMS) CMK to encrypt application data before it is stored. The company’s security policy was recently modified to require encryption key rotation annually. A security engineer must ensure that annual global key rotation is enabled for the key without making changes to the application. What should the security engineer do to accomplish this requirement?

Topic #: - All AWS Certified Security - Specialty Questions

A. Create new AWS managed keys. Configure the key schedule for the annual rotation. Create an alias to point to the new keys.
B. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key.
C. Create new AWS managed CMKs. Configure the key schedule for annual rotation. Create an alias to point to the new CMKs.
D. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Create a key grant for the old CMKs and update the code to point to the ARN of the grants.

- Awsexamhub website is not related to, affiliated with, endorsed or authorized by Amazon.
- Trademarks, certification & product names are used for reference only and belong to Amazon.

Suggested Answer:

Reference Material:

Suggested Answer:

Reference Material:

Share this post

Join the Discussion