Key Rotation

5 minutes 5 Questions

Key rotation is a process of generating a new version of a Customer Master Key (CMK) and discarding the previous version. This provides additional security by periodically updating the cryptographic material used to protect data. AWS KMS can automatically rotate CMKs annually. When a CMK is rotated…

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Question 1

Your application uses AWS KMS customer managed keys (symmetric CMKs). Compliance requires a nine-month rotation schedule, and you are not allowed to build or operate any custom automation or use services outside KMS. How can you meet this requirement?

Use AWS Lambda to rotate encryption keys every nine months. Enable key rotation with AWS Config, and set custom interval to nine months. Manually initiate the key rotation every nine months. Enable automatic key rotation, it will use custom intervals of nine months.

Correct Answer: Manually initiate the key rotation every nine months.

AWS KMS automatic rotation for customer managed symmetric CMKs uses a fixed annual schedule and does not support custom intervals. AWS Config cannot schedule or enforce KMS rotation intervals. While building custom automation (for example with AWS Lambda) could implement a nine‑month cadence, the constraint disallows using services outside KMS. Therefore, the only way to meet a nine‑month schedule without external automation is to perform manual rotation on that cadence (for example, create a new CMK and update an alias or application references every nine months, then re-encrypt data as needed).

Question 2

A company's software solution encrypts all stored files using AWS Key Management Service (KMS). The company's security policy recommends that encryption keys are rotated at least once per year. Which method should be used?

Use AWS Secrets Manager to force AWS KMS key rotation. Apply a data key as a CMK to enable rotation. Enable the automatic key rotation feature in the AWS KMS settings for the customer master key (CMK). Rotate the keys manually by creating a new CMK and setting it as the default CMK.

Correct Answer: Enable the automatic key rotation feature in the AWS KMS settings for the customer master key (CMK).

Enabling the automatic key rotation feature in the AWS KMS settings for the CMK ensures the key is automatically rotated every year, in compliance with the company's security policy.

Question 3

You are responsible for managing access keys in an AWS environment. One of the IAM users is about to leave the company. What should you do to prevent unauthorized access?

Rotate the IAM user's keys, and change their password. Delete the IAM user's access keys. Delete the IAM user's account. Toggle the IAM user's keys inactive.

Correct Answer: Delete the IAM user's access keys.

Deleting an IAM user's access keys ensures that the user will no longer be able to authenticate programmatically, thus preventing unauthorized access to AWS resources.

🎓 Unlock Premium Access

AWS Certified Solutions Architect - Associate + ALL Certifications

Key Rotation

Key Rotation in AWS KMS - Guide and Exam Tips

AWS Certified Solutions Architect - Key Rotation Example Questions

Question 1

Question 2

Question 3

🎓 Unlock Premium Access