Q. A Data Analyst has an application running on-premises that utilizes Amazon Kinesis Software Development Kit (SDK) to push data to Amazon Kinesis Data Streams. She must encrypt data at rest using AWS Key Management Service. It’s mandatory that the encryption key be rotated at least every 2 years to comply with security requirements.
The answer doesn’t really address why choice#4 is not a good answer. If the default key is rotated every year, that satisfies the requirement of rotating the key at least once every two years – right? Can you please elaborate as to why choice#4 doesn’t work?