A company uses an AWS Key Management Service (AWS KMS) CMK to encrypt application data before it is stored. The company's security policy was recently modified to require encryption key rotation annually. A security engineer must ensure that annual global key rotation is enabled for the key without making changes to the application. What should the security engineer do to accomplish this requirement?
A) Create new AWS managed keys. Configure the key schedule for the annual rotation. Create an alias to point to the new keys.
B) Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key.
C) Create new AWS managed CMKs. Configure the key schedule for annual rotation. Create an alias to point to the new CMKs.
D) Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Create a key grant for the old CMKs and update the code to point to the ARN of the grants.
Correct Answer:
Verified
Q196: A security engineer is responsible for providing
Q197: A company wants to encrypt data locally
Q198: A security engineer needs to ensure their
Q199: A company has a VPC with several
Q200: A company's security officer is concerned about
Q202: A global company must mitigate and respond
Q203: A Software Engineer wrote a customized reporting
Q204: A company recently experienced a DDoS attack
Q205: A company has contracted with a third
Q206: A security engineer is designing a solution
Unlock this Answer For Free Now!
View this answer and more for free by performing one of the following actions
Scan the QR code to install the App and get 2 free unlocks
Unlock quizzes for free by uploading documents