When will the KMS key be rotated automatically?

Answer: C.

Option A is incorrect because customer-managed CMK gets rotated automatically every 365 days (1 year) and not in 30 days.

Option B is incorrect because customer-managed CMK gets rotated automatically every 365 days (1 year) and not in 128 days.

Option C is CORRECT because customer-managed CMK gets rotated automatically every 365 days (1 year).

Option D is incorrect because customer-managed CMK gets rotated automatically every 365 days (1 year) and not in 3 years.

For more details, please refer to the following URLs:

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

The automatic key rotation feature in AWS Key Management Service (KMS) allows for the automatic rotation of customer-managed CMKs, which can improve security by reducing the risk of key compromise.

When automatic key rotation is enabled, AWS KMS automatically generates a new key version for the customer-managed CMK every year, and sets the new key version as the primary key. The previous key version is retained for decryption of data encrypted with the old key version, but it cannot be used for new encryption operations.

In the scenario given, the EC2 instances have EBS volumes encrypted using customer-managed CMK, and the automatic key rotation is enabled. Therefore, the correct answer to the question is:

C. After 365 days

After one year, AWS KMS will generate a new key version for the customer-managed CMK and set the new key version as the primary key. This process will repeat every year as long as automatic key rotation is enabled.

Note that the key rotation interval for a customer-managed CMK can be configured between 1 and 7 years. However, the default key rotation interval is set to 1 year.