AWS Certified Security – Specialty — Question 16

An organization policy states that all encryption keys must be automatically rotated every 12 months.
Which AWS Key Management Service (KMS) key type should be used to meet this requirement?

Answer options

• A. AWS managed Customer Master Key (CMK)
• B. Customer managed CMK with AWS generated key material
• C. Customer managed CMK with imported key material
• D. AWS managed data key

Correct answer: A

Explanation

The correct answer is A, as AWS managed Customer Master Keys (CMKs) automatically rotate keys every year, which aligns with the organization's policy. Options B and C require manual intervention for key rotation, and option D refers to data keys, which are not intended for long-term key management like CMKs.