AWS Certified Solutions Architect Associate SAA-C03 Practice Question
An organization utilizes AWS to encrypt its sensitive data. The security policies state that the encryption keys must be rotated on a regular basis to mitigate the risk of key compromise. Which approach should be implemented to fulfill this requirement while ensuring seamless decryption of both new and existing datasets?
You selected this option
Generate and import key material from an external source into the existing key setup on a set schedule.
You selected this option
Enable automatic key rotation for the encryption service.
You selected this option
Manually create a new key and re-encrypt all data periodically.
You selected this option
Remove existing keys at each cycle and establish fresh keys for new encryption operations.
AWS KMS supports automatic key rotation for customer created keys, which is a feature that allows AWS to automatically rotate the key every 12 months. This automated process creates a new cryptographic material while preserving the old one for decryption operations. This approach does not require re-encryption of existing data and is seamless to the application services. Manually rotating keys or deleting and recreating keys would be complex and risk service disruption or data loss, and importing key material would not pertain to the rotation of existing keys.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AWS KMS and how does it work?
Open an interactive chat with Bash
What is automatic key rotation and why is it important?
Open an interactive chat with Bash
What are the risks associated with manual key rotation?