AWS Certified Security – Specialty — Question 33

A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year.
What can be done to implement the above policy?

Answer options

• A. Enable automatic key rotation annually for the CMK.
• B. Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
• C. Import new key material to the existing CMK and manually rotate the CMK.
• D. Create a new CMK, import new key material to it, and point the key alias to the new CMK.

Correct answer: D

Explanation

The correct answer is D because creating a new CMK and importing new key material allows for a clean rotation of keys while adhering to the policy. Options A and B do not apply because they pertain to automatic management rather than manual compliance with the requirement for imported key materials. Option C involves manual rotation but does not effectively implement the policy as required.