What is the process to rotate the key?

A company is using an AWS KMS customer master key (CMK) with imported key material The company references the CMK by its alias in the Java application to encrypt data The CMK must be rotated every 6 months

What is the process to rotate the key?
A . Enable automatic key rotation for the CMK and specify a period of 6 months
B . Create a new CMK with new imported material, and update the key alias to point to the new CMK.
C . Delete the current key material, and import new material into the existing CMK
D . Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months

View Answer

Answer: B

Explanation:

To rotate an AWS KMS customer master key (CMK) with imported key material every 6 months, follow these steps:

Create a New CMK with New Imported Material:

Generate new key material according to your security policies.

Create a new CMK in AWS KMS and import the new key material into this CMK.

Reference: Importing Key Material

Update the Key Alias:

Update the alias that your Java application references to point to the new CMK. This can be done via the AWS Management Console, AWS CLI, or AWS SDKs.

Aliases in KMS are used to refer to a key without having to use the key ID, making it easier to manage key rotation.

Reference: Working with Aliases

Test and Validate:

Ensure that the application can successfully encrypt and decrypt data using the new CMK.

Validate that the rotation process does not impact the application’s functionality.

By creating a new CMK and updating the alias, the administrator ensures the key is rotated without service disruption, maintaining compliance with security requirements.