AWS Certified Security – Specialty (SCS-C02) — Question 268

A company must create annual snapshots of Amazon Elastic Block Store (Amazon EBS) volumes. The company must retain the snapshots for 10 years. The company will use AWS Key Management Service (AWS KMS) to encrypt the EBS volumes and snapshots.

The encryption keys must be rotated automatically every year. Snapshots that were created in previous years must be readable after rotation of the encryption keys.

Which type of KMS keys should the company use for encryption to meet these requirements?

Answer options

• A. Asymmetric AWS managed KMS keys with key material created by AWS KMS
• B. Symmetric customer managed KMS keys with key material created by AWS KMS
• C. Symmetric customer managed KMS keys with custom imported key material
• D. Asymmetric AWS managed KMS keys with custom imported key material

Correct answer: B

Explanation

Symmetric customer managed KMS keys with key material generated by AWS KMS support automatic annual key rotation while maintaining access to previously encrypted data because AWS KMS retains older versions of the key material for decryption. Asymmetric keys and keys with imported key material do not support automatic key rotation. Additionally, AWS managed keys are automatically rotated every three years, which does not meet the annual rotation requirement.