AWS Certified Developer Associate DVA-C02 Practice Question

AWS Key Management Service (AWS KMS) lets you turn on automatic rotation for a customer-managed symmetric encryption key. When automatic rotation is enabled, AWS KMS generates new cryptographic material for the key at the rotation interval (365 days by default, or a custom period that you specify between 90 and 2,560 days). Because AWS KMS stores previous key-material versions and automatically selects the right version during decrypt operations, no code or configuration changes are needed in the applications that use the key.

AWS-managed KMS keys already rotate automatically every year and do not allow you to change the schedule or initiate rotation manually. Writing custom scripts or editing the key policy does not provide automatic rotation and adds operational overhead without changing AWS KMS rotation behavior.