You are working in a financial company as a DevOps engineer. Your organization is using Customer Master Key (CMK) in KMS for several AWS services. For the CMK, the key material was imported as the key material needs to be maintained on-premises instead of AWS. According to the company rule, the key material must be rotated every year. How should you rotate the CMK?

Answer options:

A.Create a new CMK with new key material. Change the target CMK of the key alias to the new one.
B.Enable automatic key rotation for the CMK through KMS CLI.
C.Reimport the new key material to the CMK every year through KMS CLI.
D.Delete the old CMK first. Create a new CMK with new key material using the same key name and alias.

Answer: A
Option A is CORRECT because after the new CMK is created, we can use the CLI command can update the alias.
Option B is incorrect because there is no automatic key rotation for CMK with imported key material.
Option C is incorrect because users cannot import different key material to the same CMK with imported key material. A new CMK has to be created.
Option D is incorrect because the old CMK should not be deleted as KMS needs to decrypt data that the original CMK encrypted or else it would not be accessible.
Answer A - CLI Command provided below:
aws kms update-alias --alias-name alias/TestCMK --target-key-id 12345678-1234-1234-5678-123456789012
For more information on CMK and key rotation, refer to the URL provided below
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually.