AWS Certified SysOps Administrator – Associate (legacy) — Question 580

A SysOps Administrator is using AWS KMS with AWS-generated key material to encrypt an Amazon EBS volume in a company's AWS environment. The
Administrator wants to rotate the KMS keys using automatic key rotation, and needs to ensure that the EBS volume encrypted with the current key remains readable.
What should be done to accomplish this?

Answer options

• A. Back up the current KMS key and enable automatic key rotation.
• B. Create a new key in AWS KMS and assign the key to Amazon EBS.
• C. Enable automatic key rotation of the EBS volume key in AWS KMS.
• D. Upload new key material to the EBS volume key in AWS KMS to enable automatic key rotation for the volume.

Correct answer: C

Explanation

When automatic key rotation is enabled for a customer managed KMS key with AWS-generated key material, AWS KMS automatically rotates the key material annually while keeping older key material active for decryption. This ensures that any Amazon EBS volumes encrypted with previous versions of the key remain readable without requiring manual backups or key re-assignment. Other options are incorrect because manual backups are unnecessary, creating a new key would require manual volume re-encryption, and imported key material does not support automatic key rotation.