Your company uses AWS KMS for the management of its customer keys. From time to time, there is a requirement to delete existing keys as part of housekeeping activities. What can be done during the deletion process to verify that the key is no longer being used?

Answer options:

A.Use CloudTrail to see if any KMS API request has been issued against existing keys.
B.Use Key policies to see the access level for the keys.
C.Rotate the keys once before deletion to see if other services are using the keys.
D.Change the IAM policy for the keys to see if other services are using the keys.

Answer: A
Option A is CORRECT because we can use AWS CloudTrail to check for any API request made to the existing KMS key. This can help us verify if the keys are being used or not. 
Options B is incorrect because Key policies cannot be used to check and verify if the keys are being used or not.
Option C is incorrect because key rotation is used when you retire an encryption key and replace the old key by generating a new cryptographic key. It cannot be used to check the last access time for those keys.
Options D is incorrect because the KMS key does not have IAM policies.
For more information on deleting keys, kindly refer to the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html