AWS Certified Security – Specialty (SCS-C02) — Question 83

A security engineer must use AWS Key Management Service (AWS KMS) to design a key management solution for a set of Amazon Elastic Block Store (Amazon EBS) volumes that contain sensitive data. The solution needs to ensure that the key material automatically expires in 90 days.

Which solution meets these criteria?

Answer options

• A. A customer managed key that uses customer provided key material
• B. A customer managed key that uses AWS provided key material
• C. An AWS managed key
• D. Operating system encryption that uses GnuPG

Correct answer: A

Explanation

The correct solution is A, as a customer managed key with customer provided key material allows for setting an expiration policy for the key, ensuring it automatically expires in 90 days. Option B does not allow for manual expiration settings, and while AWS managed keys (option C) simplify management, they do not provide the ability to set custom expiration. Option D involves a different encryption method not related to AWS KMS.