Your team is developing a web application and EC2 instances are used.
In order to be compliant with security requirements, EBS volumes need to be encrypted with a Customer Managed CMK.
A new CMK was already created by you.
You also enabled automatic key rotation for this key through the AWS console to avoid manually rotating the key.
Which benefits can this configuration bring? (Select TWO.)
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: A and D.
Option A is CORRECT because the ARN or alias of the key won't change even after an automatic rotation.
Option B is incorrect because users cannot modify the frequency.
The key is automatically rotated every year.
Option C is incorrect because each newly rotated version will increase the cost by $1/month.
Option D is CORRECT because this offers a major benefit where AWS will take care of the key rotation every year.
Option E is incorrect because, during key rotation, the data keys that the CMK generated are not rotated, which means it cannot mitigate the effect of a compromised data key.
For more information on AWS KMS automatic key rotation for CMK, please refer to the following URL.
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html.The correct answers are A and E.
A. The ARN or alias of the key is not changed so that applications that refer to this key do not need to change: When automatic key rotation is enabled, AWS KMS creates a new cryptographic key for the CMK and rotates the CMK automatically without affecting the CMK ARN or alias. Therefore, any applications that refer to this key can continue to use it without any changes.
E. It can mitigate the effect of a compromised data key as the data keys that the CMK generated are also rotated during a key rotation: Data keys are used to encrypt and decrypt data in AWS services that use KMS. When KMS rotates the CMK, it also generates new data keys for the CMK. If a data key is compromised, its use is limited to a specific time period, and it cannot be used to access data after a key rotation.
B. Users can freely choose the frequency to rotate the key such as every month or every year: Automatic key rotation is a feature that enables AWS KMS to rotate keys automatically. However, users cannot choose the frequency of key rotation because KMS automatically rotates keys every year.
C. This configuration does not result in any extra monthly charges: While it is true that there is no extra charge for enabling automatic key rotation, there may be additional charges for key usage and other KMS services.
D. Users do not need to schedule the update for the key anymore since AWS KMS rotates the CMK automatically: This statement is partially true. When automatic key rotation is enabled, AWS KMS rotates the CMK automatically without any user intervention. However, users still need to ensure that their applications are configured to use the latest version of the CMK.