A financial services company is building a new application on AWS. They must ensure that all data at rest is encrypted using keys managed by the company (Customer Managed Keys). The security team requires that the encryption keys are automatically rotated every year, and that specific IAM roles can only use the keys for encryption, not decryption. Which combination of actions should the Architect take? (Select THREE)

Answer options:

A.

Create an AWS KMS Customer Managed Key (CMK) with automatic key rotation enabled.

B.

Define a key policy that grants the kms:Encrypt action to the specific IAM roles.

C.

Define a key policy that explicitly denies the kms:Decrypt action for the specific IAM roles.

D.

Use AWS CloudHSM to generate the keys and configure automatic annual rotation.

E.

Create an AWS Managed Key and enable automatic rotation.

F.

Use AWS Secrets Manager to store the KMS keys and configure a Lambda function for rotation.

How to approach this question

Select the KMS features that support custom rotation and granular permissions.

Full Answer

AWS Key Management Service (KMS) allows you to create Customer Managed Keys (CMKs) and enable automatic annual rotation. To enforce strict separation of duties (encryption vs. decryption), you configure the KMS Key Policy to explicitly grant `kms:Encrypt` and explicitly deny `kms:Decrypt` for the specified IAM roles.

Common mistakes

Selecting AWS Managed Keys (rotated every 3 years) or CloudHSM (no automatic rotation).

Question 22 All questions Question 24

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 5

75 questions · hints · full answers · grading

Sign up free Take the exam

More questions from this exam

Q01A global enterprise is redesigning its AWS network architecture across 50 AWS accounts and 3 AWS ...Hard Q02A company uses AWS Organizations to manage multiple accounts. The security team mandates that no ...Medium Q03A financial institution requires a disaster recovery strategy for its critical trading applicatio...Hard Q04An enterprise is setting up a new multi-account AWS environment using AWS Control Tower. They nee...Medium Q05A company has a complex AWS environment with hundreds of linked accounts under AWS Organizations....Hard

View all 75 questions →