Timed Exam 2, Question 24

[jbeha]

Question:

A large multinational corporation has an existing Amazon Redshift cluster that contains sensitive data. The company’s security policy mandates that all sensitive data be encrypted, and the encryption keys must be rotated every 90 days. The policy also states that the company must have control over the rotation of these keys.

Which combination of steps would comply with the company’s security policy? (Select TWO.)

The option that says: Enable automatic key rotation for the customer-managed KMS key is incorrect. When you enable automatic key rotation, your custom-managed keys are rotated every year. This won’t satisfy the requirement of rotation the keys every 90 days.

From:
https://docs.aws.amazon.com/kms/latest/developerguide/rotating-keys-enable.html
By default, when you enable automatic key rotation for a KMS key, AWS KMS generates new cryptographic material for the KMS key every year. You can also specify a custom rotation-period to define the number of days after you enable automatic key rotation that AWS KMS will rotate your key material, and the number of days between each automatic rotation thereafter.

[JR-TutorialsDojo]

Hello jbeha,

Thank you for bringing this to our attention.

By default, automatic key rotation for a customer‑managed KMS key rotates annually, but AWS KMS supports specifying a custom rotation period. Setting the rotation interval to 90 days will meet the requirements for this scenario.

We will make the necessary updates, which should be reflected on the portal soon.

Let us know if you need further assistance.

Best regards,
JR @ Tutorials Dojo