AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A financial institution utilizes a key management service to enhance the security of its data-at-rest within cloud storage services. They aim to adhere to a stringent security protocol that requires the automatic renewal of encryption materials. Which approach can the institution implement to fulfill this requirement without altering the existing key identifiers or metadata?
Enabling automatic renewal for the encryption keys through the service's management console or API.
Establishing a manual process where the keys are only updated in response to a security incident.
Delegating the renewal process until the key reaches its designated expiration period.
Creating a new key manually every five years while disabling the old one.
The service that manages customer encryption keys offers the capability to automate the rotation of the underlying encryption material used by a managed key, usually on an annual basis. This automation ensures that the material is updated regularly without the need to change the key identifier or associated metadata, thus adhering to strict security protocols. The operation does not demand manual intervention, nor does it rely on a reactive approach to potential key compromises. Moreover, a fixed five-year rotation period is not a feature currently supported by the service provider.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.