AWS Certified Security – Specialty — Question 210

A company uses an AWS Key Management Service (AWS KMS) CMK to encrypt application data before it is stored. The company's security policy was recently modified to require encryption key rotation annually. A security engineer must ensure that annual global key rotation is enabled for the key without making changes to the application.
What should the security engineer do to accomplish this requirement?

Answer options

• A. Create new AWS managed keys. Configure the key schedule for the annual rotation. Create an alias to point to the new keys.
• B. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key.
• C. Create new AWS managed CMKs. Configure the key schedule for annual rotation. Create an alias to point to the new CMKs.
• D. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Create a key grant for the old CMKs and update the code to point to the ARN of the grants.

Correct answer: C

Explanation

The correct answer is C, as creating new AWS managed CMKs and configuring them for annual rotation allows compliance with the security policy without affecting the existing application. Options A and C are similar but option C is preferred as it aligns with the requirement of using customer managed CMKs. Options B and D require changes to the application, which is against the requirement of not altering the application.