Your company is making extensive use of the AWS KMS service. They have defined a number of CMK keys. They need to be notified immediately whenever a rotation of a key is carried out. Which of the following options should you use to ensure you get notified on the same?

Answer options:

A.Configure a CloudWatch Event rule to check if the detail-type is "KMS CMK Rotation". Register an SNS topic to provide the notifications.
B.Configure a CloudWatch Event rule to check if the event source is "KMS CMK Rotation". Register a Lambda function to provide the notifications.
C.Configure a CloudWatch Event rule to check if the detail-type is "aws.kms.key.rotation". Register an SNS topic to provide the notifications.
D.Configure an AWS Config rule to check if there is any key rotation that happens in the KMS service. Register an SNS topic to provide the notifications.

Answer – A
The AWS Documentation mentions the following.
Option A is CORRECT because the CloudWatch Event rule can quickly identify the key rotation event and notify the team through an SNS notification.
Option B is incorrect because the event source should be "aws.kms" and the "detail-type" should be "KMS CMK Rotation".
Option C is incorrect because the "detail-type" should be "KMS CMK Rotation".
Option D is incorrect because AWS Config does not have a solution out of the box. You have to write a custom rule with a Lambda function. And it cannot provide a real-time notification.
For more information on monitoring keys in the KMS service, please visit the below URL
https://docs.aws.amazon.com/kms/latest/developerguide/monitoring-cloudwatch.html