Which solution will meet these requirements?

By:
In: SCS-C01
Tagged:
With: 1 Comment
A company has decided to use AWS Key Management Service (AWS KMS) for all of its encryption keys.The company plans to create all of its keys as customer managed CMKs and will not import any encryption keys.The company must rotate its encryption keys once every 12 months.

Which solution will meet these requirements?

Change the customer managed CMK key policy to enable automatic key rotation.

Use AWS managed CMKs instead of customer managed CMKs so that AWS will rotate the keys automatically.

Invoke an AWS Lambda function regularly to rotate the backing key of each customer managed CMK.

Enable automatic key rotation for each customer managed CMK after it has been created in AWS KMS.

Explanations:

AWS KMS does not allow changing the key policy to enable automatic key rotation. Automatic key rotation must be enabled at the time of key creation or afterward using the AWS KMS console or API.

AWS managed CMKs are not customer-controlled, and AWS rotates them automatically. However, the company requires customer-managed CMKs, not AWS-managed ones.

Lambda functions are not required for rotating CMKs in AWS KMS. AWS KMS provides built-in functionality for automatic key rotation, which does not need manual intervention.

AWS KMS allows enabling automatic key rotation for customer managed CMKs. Once enabled, it will rotate the key every 12 months without any manual intervention.

2025-10-05

1 Comment

  1. Deborah
    Author

    I strategize that the answer is:
    Enable automatic key rotation for each customer managed CMK after it has been created in AWS KMS.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − sixteen =