Answer-first summary for fast verification
Answer: Create a customer managed key. Use the key to encrypt the EBS volumes.
## Explanation **Correct Answer: A** **Why Option A is correct:** 1. **Customer Managed Key (CMK)**: This gives the company full control over the encryption key lifecycle, including key rotation policies. 2. **Control over rotation**: With customer managed keys, you can enable automatic key rotation (every 365 days) or manually rotate keys as needed. 3. **Least operational overhead**: While creating a customer managed key requires initial setup, it provides the required control with minimal ongoing operational effort compared to other options. 4. **EBS encryption**: Customer managed keys can be used to encrypt EBS volumes directly. **Why other options are incorrect:** **Option B**: AWS managed keys do NOT allow customers to control key rotation. AWS manages the rotation automatically, and customers cannot configure or control it. **Option C**: External KMS keys with imported key material have the highest operational overhead. You must generate and import your own key material, manage it externally, and handle all rotation manually. **Option D**: AWS owned keys are not visible to customers and provide no control over key management or rotation. They are shared across multiple AWS accounts and services. **Key AWS KMS Concepts:** - **Customer Managed Keys (CMK)**: You create, manage, and control these keys. You can enable automatic rotation (every 365 days) or rotate manually. - **AWS Managed Keys**: AWS creates and manages these keys on your behalf. You cannot control rotation. - **AWS Owned Keys**: AWS creates and manages these keys for multiple AWS accounts. No customer control. - **External Keys**: You import your own key material. Maximum control but maximum operational overhead. The requirement for "control rotation of the encryption keys" eliminates AWS managed and AWS owned keys. The requirement for "LEAST operational overhead" eliminates external keys with imported material, leaving customer managed keys as the optimal solution.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company uses Amazon EC2 instances and stores data on Amazon Elastic Block Store (Amazon EBS) volumes. The company must ensure that all data is encrypted at rest by using AWS Key Management Service (AWS KMS). The company must be able to control rotation of the encryption keys.
Which solution will meet these requirements with the LEAST operational overhead?
A
Create a customer managed key. Use the key to encrypt the EBS volumes.
B
Use an AWS managed key to encrypt the EBS volumes. Use the key to configure automatic key rotation.
C
Create an external KMS key with imported key material. Use the key to encrypt the EBS volumes.
D
Use an AWS owned key to encrypt the EBS volumes.