AWS Certified SysOps Administrator – Associate (legacy) — Question 619

A SysOps Administrator using AWS KMS needs to rotate all customer master keys (CMKs) every week to meet Information Security guidelines.
Which option would meet the requirement?

Answer options

• A. Create a new CMK every 7 days to manually rotate the encryption keys.
• B. Enable key rotation on the CMKs and set the rotation period to 7 days.
• C. Switch to using AWS CloudHSM as AWS KMS does not support key rotation.
• D. Use data keys for each encryption task to avoid the need to rotate keys.

Correct answer: A

Explanation

AWS KMS automatic key rotation is fixed at a 365-day schedule for customer managed keys and cannot be customized to a shorter 7-day interval. Therefore, the administrator must perform manual rotation by creating a new CMK every week and updating the key alias or application reference. Using AWS CloudHSM is unnecessary because KMS does support rotation, and relying on unique data keys does not fulfill the requirement to rotate the backing CMKs.