AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A financial institution uses AWS Key Management Service (AWS KMS) to encrypt data at rest. Company policy requires that the underlying cryptographic material be renewed automatically while keeping the same key ID and metadata. Which approach will satisfy this requirement?
Manually create a new KMS key every five years and disable the prior key.
Enable automatic key rotation for the customer-managed KMS key by using the AWS KMS console, CLI, or API.
Postpone rotation until the key approaches its scheduled deletion or expiration date.
Rotate the key material only if a security incident indicates the key may be compromised.
Enable automatic key rotation for the customer-managed KMS key. When automatic rotation is turned on (through the AWS KMS console, CLI, or API), AWS KMS replaces the underlying key material on the schedule you specify-anywhere from 90 to 2560 days, with 365 days as the default. The key's ID, ARN, policies, and aliases remain unchanged, so applications continue to use the key transparently. Manually creating a new key, rotating only after a security incident, or waiting for key expiration either changes the key reference or fails to meet the automatic-rotation requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.