Q29 — AWS SCS-C02 Ch.1

Question 29 of 100 | ← Chapter 1

A company uses an AWS Key Management Service (AWS KMS) AWS owned key in its application to encrypt files in an AWS account. The company's security team wants the ability to change to new key material for new files whenever a potential key breach occurs. A security engineer must implement a solution that gives the security team the ability to change the key whenever the team wants to do so. Which solution will meet these requirements?

Correct Answer: C. Create a key alias. Create a new customer managed key every time the security team requests a key change. Associate the alias with the new key.  

Explanation

AWS KMS客户托管密钥允许用户自主管理密钥生命周期。AWS文档指出,别名是一个指向KMS密钥的指针,可随时重新映射到新密钥。选项C通过别名关联新建的客户托管密钥,每次更换只需更新别名指向,无需修改应用程序配置。选项A的密钥轮换自动生成新加密材料但不替换主密钥,选项B和D涉及AWS托管密钥,用户无法手动创建或更换。正确方法为使用别名动态切换客户托管密钥。