A company uses a cloud provider's key management service. They want to rotate keys automatically every 90 days. What is the correct way to achieve this?
Automatic rotation meets the requirement with minimal effort.
Why this answer
Option A is correct because cloud KMS services (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS) offer a built-in automatic key rotation feature that can be configured to rotate the key material every 90 days without any manual intervention. Enabling this setting ensures that new cryptographic material is generated for the key, while the old key material remains available for decrypting data encrypted with it, maintaining seamless security compliance.
Exam trap
ISC2 often tests the misconception that updating a key alias or creating a new key manually is equivalent to automatic rotation, when in fact automatic rotation is a specific KMS feature that preserves key continuity and requires no application changes.
How to eliminate wrong answers
Option B is wrong because updating a key alias does not change the underlying key material; it only reassigns a friendly name to the same key, so it does not achieve rotation. Option C is wrong because creating a new key and updating all applications to use it is a manual, error-prone process that defeats the purpose of automated rotation and can cause decryption failures if old data is not re-encrypted. Option D is wrong because a third-party HSM (Hardware Security Module) is used for generating and storing keys outside the cloud KMS, but it does not provide automatic key rotation; rotation would still need to be implemented separately.