For a three-tier application, data in AWS RDS and application data in Amazon EBS volumes are encrypted using AWS KMS. The security team has been instructed to rotate CMKs by enabling automated key rotation to comply with security guidelines. Management is concerned about workload post-rotation of CMKs.
Which of the following is TRUE with respect to rotation of CMK?

Answer options:

A.Rotating CMK will change the backing key.
B.Rotating CMK will need to change in Key ID referred by an application using this CMK.
C.Rotating CMK will re-encrypt data encrypted by the old CMK.
D.Rotating CMK will rotate Data Keys automatically which the old CMK generated. 

Correct Answer: A
Automatic key rotation for CMKs in AWS KMS changes the cryptographic material used in the encryption of keys. This will only change the backing key for the new CMK, and the old CMK is retained as it is. With automated key rotation, there is no need to make changes to applications that refer to old keys. All the key properties will remain the same post rotation of CMK.
Option B is incorrect as there would not be any change in Key ID post rotation of CMK.
Option C is incorrect as data encrypted by Old CMK is decrypted using the same CMK. No need to re-encrypt this data using the new CMK.
Option D is incorrect as Rotating CMK has no impact on data keys.
For more information on Rotating Keys using AWS KMS, refer to the following URL,
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html