🔥 3-day streak
AWS Certified Security - Specialty99 / 184
Question 99 of 184
A financial services company stores sensitive customer records in an Amazon RDS database encrypted with a customer managed KMS key. The security team wants to enforce a data classification policy that guarantees the KMS key used to encrypt this data can ONLY be used to protect data at rest and is never used for signing or MAC operations, regardless of any future key policy changes. Which approach BEST enforces this constraint at the KMS layer?
Reviewed for accuracy · Report an issueNext question