Question #1700
A company uses Amazon RDS instances and stores data in encrypted databases. The company must ensure that all data is encrypted at rest using AWS Key Management Service (AWS KMS) and retain control over the rotation of the encryption keys with the LEAST operational overhead. Which solution meets these requirements?
Create a customer managed key. Use the key to encrypt the RDS databases.
Use an AWS managed key to encrypt the RDS databases. Enable automatic key rotation.
Import an external KMS key with custom key material. Use the key to encrypt the RDS databases.
Use an AWS owned key to encrypt the RDS databases.
Explanation
Answer A is correct because:
- Customer Managed Keys (CMK) allow full control over key policies and rotation. AWS KMS automatically rotates CMKs every 365 days by default, reducing operational overhead while retaining control.
- Option B uses AWS managed keys, which do not allow customization of rotation policies, violating the requirement to retain control.
- Option C involves importing external keys, which requires manual rotation and increases operational overhead.
- Option D uses AWS owned keys, which offer no control over rotation or policies.
Key Points:
1. AWS KMS supports encryption at rest for RDS.
2. Customer managed keys balance control (rotation) with automation.
3. AWS managed/owned keys limit control over key management.
Answer
The correct answer is: A