Q82 — AWS DOP-C02 Ch.2

Question 82 of 100 | ← Chapter 2

A company uses AWS Key Management Service (AWS KMS) keys and manual key rotation to meet regulatory compliance requirements. The security team wants to receive notifications if any key has not been rotated within 90 days.

Correct Answer: C. Develop an AWS Config custom rule that publishes to an Amazon Simple Notification Service (Amazon SNS) topic when a key exceeds 90 days since last rotation.

Explanation

Monitoring AWS KMS key rotation age is achievable via AWS Config custom rules. AWS Config allows creation of custom rules to evaluate whether resources comply with specific configurations — such as checking whether a KMS key’s last rotation timestamp exceeds 90 days. Upon detecting noncompliance, the rule can trigger an SNS notification. Option C directly implements this mechanism. Options A, B, and D rely on services (KMS native notifications, Trusted Advisor, Security Hub) that do not natively support this specific use case or require indirect, unsupported workarounds. This approach is documented in AWS guidance for AWS Config custom rule use cases.