Updating Key Policies for Existing CMKs

Answer: A.

Option A is correct because when there is a new default key policy, the AWS console has an alert.

You can choose "Preview and upgrade to the new key policy"

Option B is incorrect because you do not need to do this manually.

You can follow the console alert to upgrade the key policies.

Option C is incorrect because the key policies of existing CMKs need to be modified to include the new permissions so that the new KMS features can be used.

Option D is incorrect because the key policies of existing CMKs are not updated automatically.

For more information on KMS key policy, kindly refer to the URL provided below:

https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-upgrading.html

The correct answer is B: Open the existing CMKs in the AWS console and manually add the new permissions in the key policies.

Explanation: When a default key policy is updated to include certain new permissions, the existing CMKs will not automatically inherit those permissions. As a result, you will need to update the key policies of your existing CMKs manually to include those new permissions.

To update the key policies of your existing CMKs, you can follow these steps:

1. Log in to the AWS Management Console and navigate to the AWS KMS service.

2. In the KMS console, choose the existing CMK that you want to update the key policy for.

3. In the Key policy tab, choose Edit.

4. Update the key policy to include the new permissions that you want to add.

5. Choose Save changes to save the updated key policy.

6. Repeat the process for all other CMKs that you want to update.

It's important to note that updating a key policy can have a significant impact on the security of your system. Therefore, it's essential to carefully review and test any changes you make to the key policy before implementing them in a production environment.