Your team is developing a web application and EC2 instances are used. In order to be compliant with security requirements, EBS volumes need to be encrypted with a Customer Managed CMK. A new CMK was already created by you. You also enabled automatic key rotation for this key through the AWS console to avoid manually rotating the key. Which benefits can this configuration bring? (Select TWO.)

Answer options:

A.The ARN or alias of the key is not changed so that applications that refer to this key do not need to change.
B.Users can freely choose the frequency to rotate the key such as every month or every year.
C.This configuration does not result in any extra monthly charges.
D.Users do not need to schedule the update for the key anymore since AWS KMS rotates the CMK automatically.
E.It can mitigate the effect of a compromised data key as the data keys that the CMK generated are also rotated during a key rotation.

Answer: A and D
Option A is CORRECT because the ARN or alias of the key won’t change even after an automatic rotation.
Option B is incorrect because users cannot modify the frequency. The key is automatically rotated every year.
Option C is incorrect because each newly rotated version will increase the cost by $1/month.
Option D is CORRECT because this offers a major benefit where AWS will take care of the key rotation every year.
Option E is incorrect because, during key rotation, the data keys that the CMK generated are not rotated, which means it cannot mitigate the effect of a compromised data key.
For more information on AWS KMS automatic key rotation for CMK, please refer to the following URL
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html.