When using imported key material with AWS KMS, you maintain control over the key lifecycle. AWS KMS allows you to import new key material into an existing KMS key (of type "external" or "imported"), thus rotating the key material without changing the key ID or ARNs. This enables applications to continue using the same key for cryptographic operations without disruption.
You can also set an expiration time for the old key material, after which AWS KMS deletes the old material and requires new key material to be imported, enforcing regular rotation per your compliance requirements.
AWS Documentation Extract:
"To rotate imported key material, you can re-import new key material into the same KMS key. This retains the same key ID and ARNs so applications are unaffected. You can set an expiration time for imported key material and replace it as needed, ensuring compliance with your rotation policy."
(Source: AWS Key Management Service Developer Guide, Importing Key Material, Rotating Key Material)
Other options:
A: You cannot create a new KMS key with the same key ID as an existing one.
B: Deleting and recreating the key disrupts application access because the key ID changes.
D: Automatic rotation is only available for AWS-managed keys, not for imported key material.
[Reference: AWS Certified Solutions Architect – Official Study Guide, KMS and Key Rotation Section., , , , ]
