Which issues that are related to the CMK could be reasons for the error?
(Choose two.)
The CMK is used in the attempt does not exist.
The CMK is used in the attempt needs to be rotated.
The CMK is used in the attempt is using the CMK’s key ID instead of the CMK ARN.
The CMK is used in the attempt is not enabled.
The CMK is used in the attempt is using an alias.
Explanations:
If the CMK being used does not exist, any encryption or decryption attempt will fail, resulting in an error message. The existence of the CMK is fundamental for operations.
CMK rotation does not prevent encryption or decryption; it is a process to periodically update the key material. As long as the CMK is valid and usable, operations should succeed regardless of its rotation status.
AWS KMS allows the use of both the CMK’s key ID and its ARN for operations. If the correct identifier (key ID or ARN) is used, it should not result in an error related to this.
If the CMK is not enabled, it cannot be used for encryption or decryption operations. An attempt to use a disabled CMK will result in an error message, indicating that the operation cannot proceed.
Using an alias for the CMK is valid in AWS KMS. Aliases are simply user-friendly names that point to a CMK and do not affect the ability to perform encryption or decryption.