AWS Certified Security – Specialty — Question 466

A company decides to use AWS Key Management Service (AWS KMS) for data encryption operations. The company must create a KMS key and automate the rotation of the key. The company also needs the ability to deactivate the key and schedule the key for deletion.

Which solution will meet these requirements?

Answer options

• A. Create an asymmetric customer managed KMS key. Enable automatic key rotation.
• B. Create a symmetric customer managed KMS key. Disable the envelope encryption option.
• C. Create a symmetric customer managed KMS key. Enable automatic key rotation.
• D. Create an asymmetric customer managed KMS key. Disable the envelope encryption option.

Correct answer: C

Explanation

AWS Key Management Service (AWS KMS) only supports automatic key rotation for symmetric customer managed keys; asymmetric keys cannot be automatically rotated. Additionally, customer managed keys grant the key administrator full control to disable or schedule the key for deletion, satisfying all requirements. There is no configuration option to disable envelope encryption when creating a KMS key.