AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 3

A company uses AWS Key Management Service (AWS KMS) keys and manual key rotation to meet regulatory compliance requirements. The security team wants to be notified when any keys have not been rotated after 90 days.
Which solution will accomplish this?

Answer options

• A. Configure AWS KMS to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
• B. Configure an Amazon EventBridge event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon Simple Notification Service (Amazon SNS) topic.
• C. Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
• D. Configure AWS Security Hub to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.

Correct answer: C

Explanation

The correct answer is C because an AWS Config custom rule can specifically monitor the age of KMS keys and trigger notifications when they exceed 90 days without rotation. Options A, B, and D do not directly provide a mechanism to monitor key rotation in the way specified; they either rely on other services or do not target the key age monitoring requirement effectively.