AWS Certified SysOps Administrator – Associate (legacy) — Question 150

A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months.
What is the process to rotate the key?

Answer options

• A. Enable automatic key rotation for the CMK, and specify a period of 6 months.
• B. Create a new CMK with new imported material, and update the key alias to point to the new CMK.
• C. Delete the current key material, and import new material into the existing CMK.
• D. Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.

Correct answer: A

Explanation

The correct answer is A because enabling automatic key rotation for the CMK ensures it is rotated every 6 months without manual intervention. Options B and D involve creating new CMKs, which is not necessary for automatic rotation. Option C incorrectly suggests deleting key material, which could lead to data loss.