AWS Certified Security – Specialty SCS-C01 – Question256

A company needs to encrypt all of its data stored in Amazon S3. The company wants to use AWS Key Management Service (AWS KMS) to create and manage its encryption keys. The company's security policies require the ability to import the company's own key material for the keys, set an expiration date on the keys, and delete keys immediately, if needed.
How should a security engineer set up AWS KMS to meet these requirements?

A.
Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material. Import the company's keys and key material into the CMK.
B. Configure AWS KMS and use the default key store. Create an AWS managed CMK with no key material. Import the company's keys and key material into the CMK.
C. Configure AWS KMS and use the default key store. Create a customer managed CMK with no key material. Import the company's keys and key material into the CMK.
D. Configure AWS KMS and use a custom key store. Create an AWS managed CMK with no key material. Import the company's keys and key material into the CMK.