The cloud monitoring team is using AWS Config to perform security checks. One Config rule is to check if S3 buckets are encrypted using KMS. After the rule was executed, several S3 buckets were found to be non-compliant because they were not encrypted. To fix the non-compliance of these buckets, you have enabled the Default Encryption to be KMS using AWS Managed Key aws/s3. Your manager asked you how to manage the key rotation for this key. How should you answer this question?

Answer options:

A.You can enable or disable the automatic key rotation in the AWS console or CLI. The key rotation frequency is 1 year.
B.AWS manages the key rotation, and the user cannot disable it. The key is rotated every 1 year.
C.You can enable or disable the automatic key rotation in the AWS console or CLI. The key rotation frequency can also be configured as 1 month, 1 year or 3 years.
D.The key rotation is managed by AWS. The key is automatically rotated every three years.

Answer: D
Option A is incorrect because users cannot disable the key rotation for AWS managed keys. Instead, users can configure the key rotation for customer-managed keys.
Option B is incorrect because the frequency of AWS manage key rotation is 3 years and not 1 year.
Option C is incorrect because users cannot configure the key rotation for AWS managed keys.
Option D is CORRECT because for AWS managed keys, users cannot manage the key rotation. And the key is automatically rotated every 3 years (1095 days).
For more information on AWS KMS key rotation, kindly refer to the URL provided below
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html.