Comprehensive and Detailed Explanation From Exact Extract of AWS CloudOps Documents:

The correct answer is A because AWS KMS symmetric customer managed keys with automatic key rotation provide encryption, access control, and compliance with minimal operational effort. AWS CloudOps documentation states that Amazon EBS encryption supports AWS KMS symmetric keys only, and customer managed keys allow administrators to define custom key policies to control access.

Automatic key rotation is supported for symmetric customer managed keys and rotates the backing key material once every year, fully satisfying the company’s rotation requirement without manual intervention. This approach minimizes operational overhead while maintaining strong security controls and auditability.

Option B is incorrect because AWS owned keys do not allow custom key policies and therefore cannot meet the access control requirement. Option C is incorrect because asymmetric KMS keys are not supported for EBS encryption. Option D is incorrect because imported key material requires manual rotation and re-import, increasing operational complexity and risk.

AWS CloudOps security best practices strongly recommend customer managed symmetric keys with automatic rotation when organizations need fine-grained access control, regulatory compliance, and low maintenance overhead.