AWS Certified Security – Specialty — Question 434

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material. Company policy requires all encryption keys to be rotated every year.

What should a security engineer do to meet this requirement for this customer managed key?

Answer options

• A. Enable automatic key rotation annually for the existing customer managed key.
• B. Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually.
• C. Import new key material to the existing customer managed key. Manually rotate the key.
• D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.

Correct answer: D

Explanation

AWS KMS does not support automatic key rotation for customer managed keys that use imported key material. To rotate these keys, you must manually create a new customer managed key, import the new key material into it, and then associate the existing key alias with the new key. Options A, B, and C are incorrect because you cannot automatically rotate or overwrite the existing key material in place to achieve rotation.