A company uses an AWS Key Management Service (AWS KMS) CMK to encrypt application data before it is stored. The company's security policy was recently modified to require encryption key rotation annually. A security engineer must ensure that annual global key rotation is enabled for the key without making changes to the application. What should the security engineer do to accomplish this requirement? A. Create new AWS managed keys. Configure the key schedule for the annual rotation. Create an alias to point to the new keys. B. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key. C. Create new AWS managed CMKs. Configure the key schedule for annual rotation. Create an alias to point to the new CMKs. D. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Create a key grant for the old CMKs and update the code to point to the ARN of the grants.  Suggested Answer: D Community Answer: C Reference: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html This question is in SCS-C01 AWS Certified Security – Specialty Exam For getting AWS Certified Security – Specialty Certificate Disclaimers: The website is not related to, affiliated with, endorsed or authorized by Amazon. Trademarks, certification & product names are used for reference only and belong to Amazon. The website does not contain actual questions and answers from Amazon's Certification Exam.
Please login or Register to submit your answer
