A company uses Amazon EC2 instances and stores data on Amazon EBS volumes. The company must ensure that all data is encrypted at rest by using AWS Key Management Service (AWS KMS) and must be able to control rotation of the encryption keys. Which solution meets these requirements with the LEAST operational overhead?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a customer managed key, and use that key to encrypt the EBS volumes..
Why this is the answer
Creating a customer managed key (CMK) in AWS KMS allows the company to encrypt EBS volumes at rest and explicitly control key rotation, meeting both requirements. CMKs offer full control over key policies, grants, and rotation schedules, which can be set to automatic or managed manually. This approach has the least operational overhead because AWS KMS handles the underlying key infrastructure, availability, and durability, while the company only manages the key itself. Using an AWS managed key would encrypt the volumes but would not allow the company to control key rotation; AWS manages these keys and their rotation automatically. Creating an external KMS key with imported key material adds significant operational overhead for key material management and secure import. Using an AWS owned key provides encryption but no control over the key or its rotation, as these keys are fully managed by AWS for its services.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed