AWS Certified Security – Specialty — Question 352

A company is using an AWS owned CMK in its application to encrypt files in an AWS account. The company’s security team wants to have the ability to change to new key material for new files whenever there is a potential key breach. A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so.

Which solution will meet these requirements?

Answer options

• A. Create a new customer managed CMK. Add a key rotation schedule to the CMK. Invoke the key rotation schedule every time the security team requests a key change.
• B. Create a new AWS managed CMK. Add a key rotation schedule to the CMK. Invoke the key rotation schedule every time the security team requests a key change.
• C. Create a CMK alias. Create a new customer managed CMK every time the security team requests a key change. Associate the alias with the new CMK.
• D. Create a CMK alias. Create a new AWS managed CMK every time the security team requests a key change. Associate the alias with the new CMK.

Correct answer: C

Explanation

Automatic key rotation for customer managed CMKs occurs on a fixed schedule and cannot be triggered on-demand by a user. To achieve immediate, on-demand key rotation, you must create a new customer managed CMK and update your application's CMK alias to point to the new key. AWS managed CMKs cannot be manually created or have their aliases redirected by customers.