Which solution will accomplish this?
Configure AWS KMS to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
Configure an Amazon EventBridge event to launch an AWS Lambda function to call the AWS Trusted Advisor API and publish to an Amazon Simple Notification Service (Amazon SNS) topic.
Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
Configure AWS Security Hub to publish to an Amazon Simple Notification Service (Amazon SNS) topic when keys are more than 90 days old.
Explanations:
AWS KMS does not natively provide the ability to trigger notifications directly for keys that are more than 90 days old. While AWS KMS can send events to CloudTrail or EventBridge, there is no built-in SNS notification for key age.
Amazon EventBridge can trigger events, but there is no direct integration with the AWS Trusted Advisor API to check for the age of KMS keys. Trusted Advisor doesn’t check for key rotation and doesn’t support this use case.
AWS Config allows you to create custom rules to monitor resources, including KMS keys. A custom rule can be developed to check the last rotation date and trigger an SNS notification if the key hasn’t been rotated within 90 days.
AWS Security Hub is focused on security findings from different AWS services. It does not monitor the age of KMS keys or provide a direct method for notifying based on key rotation schedules.