What are the reasons for the error messages?
(Choose two.)
The application does not have the kms:Encrypt permission for the customer managed key.
The customer managed key is already being used to encrypt another secure string parameter.
Standard tier secure string parameters cannot use a customer managed key for encryption.
The customer managed key that is specified in the application has its key state set to Disabled.
The customer managed key that is specified in the application is using a key alias instead of a key ID.
Explanations:
The application must have thekms:Encryptpermission for the customer managed key to encrypt data when updating the parameter. If this permission is missing, it will result in an error.
A customer managed key can be used to encrypt multiple parameters. There is no restriction on a key being used for multiple secure string parameters.
Standard tier secure string parameterscanuse a customer managed key for encryption. This option is incorrect.
If the customer managed key is disabled, the application cannot use it for encryption or decryption, which would cause errors.
AWS Systems Manager Parameter Store supports both key IDs and key aliases for customer managed keys, so using an alias does not cause an error.