Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 205 discussion

D. - you cannot enable automatic key rotation for a KMS key with imported key material - You can reimport the same key material, but you cannot import different key material into that KMS key https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-considerations.html

The correct approach to meet the requirement of rotating the encryption key annually for a customer managed key with imported key material is: D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key. Automatic key rotation is not supported for keys with imported key material. Therefore, you need to manually manage the rotation by creating a new key and updating the alias to point to the new key each year.

c is the answer, d is unnecessary work kms cmk = metadata (id, other field) + imported material (crypto) thus kms cmk can continue to be as is with the same id, and we can import new material to it why not d - there is no mention of an alias being used, and no its not obvious, one must mention that an alias was created and being used by apps for D to be a viable solution

To comply with the policy of rotating encryption keys annually, the recommended approach is to create a new customer managed key, import new key material to this new key, and then update the key alias to point to the new key. This ensures that the key rotation is handled correctly and securely.

Why not C? I think C is correct. D is viable, but it hasmore operational overhead

Correct answer is D

Option D make more sense