A company uses an AWS Key Management Service (AWS KMS) CMK to encrypt application data before it is stored. The company’s security policy was recently modified to require encryption key rotation annually. A security engineer must ensure that annual global key rotation is enabled for the key without making changes to the application.
What should the security engineer do to accomplish this requirement?
A. Create new AWS managed keys. Configure the key schedule for the annual rotation. Create an alias to point to the new keys.
B. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key.
C. Create new AWS managed CMKs. Configure the key schedule for annual rotation. Create an alias to point to the new CMKs.
D. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Create a key grant for the old CMKs and update the code to point to the ARN of the grants.
