Q50 — AWS DOP-C02 Ch.1

Question 50 of 100 | ← Chapter 1

A company uses AWS Key Management Service (AWS KMS) keys and manual key rotation to meet compliance requirements. The security team wants to receive notifications when any key has not been rotated after 90 days.

Correct Answer: C. Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when a key exceeds 90 days without rotation.

Explanation

AWS Config supports continuous evaluation and monitoring of resource configurations. A custom rule can assess the age of AWS KMS keys and trigger when rotation hasn’t occurred within 90 days, publishing directly to an Amazon SNS topic for immediate notification. Option A is incorrect because AWS KMS does not natively support direct SNS publishing based on rotation age. Option B introduces unnecessary complexity via Trusted Advisor, which is not designed for this specific KMS rotation monitoring use case. Option D is incorrect because AWS Security Hub focuses on aggregated security findings—not granular, time-based key lifecycle checks. Therefore, Option C is the correct and most appropriate solution.