AWS Certified Security – Specialty (SCS-C02) — Question 182

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material. Company policy requires all encryption keys to be rotated every year.

What should a security engineer do to meet this requirement for this customer managed key?

Answer options

• A. Enable automatic key rotation annually for the existing customer managed key.
• B. Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually.
• C. Import new key material to the existing customer managed key. Manually rotate the key.
• D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.

Correct answer: D

Explanation

The correct answer is D because creating a new customer managed key and importing new key material aligns with the requirement to rotate keys according to company policy. Option A is incorrect because automatic key rotation is not applicable to keys with imported key material. Option B is not suitable as it involves using a Lambda function which is unnecessary for this task. Option C does not fulfill the requirement for annual rotation as it relies on manual intervention.