Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?
A . Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.
B . Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.
C . Change the CMK alias every 90 days, and update key-calling applications with the new key alias.
D . Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.
Answer: A
Leave a Reply