AWS Certified Security – Specialty — Question 147

A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer
Master Keys (CMKs) that were created using imported key material.
How can the Engineer perform the key rotation process MOST efficiently?

Answer options

• A. Create a new CMK, and redirect the existing Key Alias to the new CMK.
• B. Select the option to auto-rotate the key.
• C. Upload new key material into the existing CMK.
• D. Create a new CMK, and change the application to point to the new CMK.

Correct answer: A

Explanation

The correct answer is A because creating a new CMK and redirecting the Key Alias allows for a seamless transition without affecting the applications that use the alias. Option B is incorrect as auto-rotation is not applicable for CMKs created with imported key material. Option C doesn't meet the requirement, as it does not fulfill the annual rotation policy, and option D introduces unnecessary changes to the application, making it less efficient.