A company continuously generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company’s CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key.
 What solution below will meet the company’s requirements?

Answer options:

A.Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK and updates the S3 bucket to use the new CMK.
B.Configure the CMK to rotate the key material every month.
C.Trigger a Lambda function with a monthly CloudWatch event that creates a new CMK, updates the S3 bucket to use the new CMK, and deletes the old CMK.
D.Trigger a Lambda function with a monthly CloudWatch event that rotates the key material in the CMK.

Answer: A
Option A is CORRECT because you can use a Lambda function to create a new key and then update the S3 bucket to use the new key.
Option B is incorrect because AWS KMS cannot rotate keys on a monthly basis.
Option C is incorrect because deleting the old key means that you cannot access the older objects.
Option D is incorrect because rotating the key material is not possible.
Remember not to delete the old key. Else you will not be able to decrypt the documents stored in the S3 bucket using the older key.
For more information on AWS KMS keys, kindly refer to the URL below
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html