AWS Certified Security - Specialty (#59)

Which option for the use of the AWS Key Management Service (KMS) supports key management best practices that focus on minimizing the potential scope of data exposed by a possible future key compromise?

Use KMS automatic key rotation to replace the master key, and use this new master key for future encryption operations without re-encrypting previously encrypted data.
Generate a new Customer Master Key (CMK), re-encrypt all existing data with the new CMK, and use it for all future encryption operations.
Change the CMK alias every 90 days, and update key-calling applications with the new key alias.
Change the CMK permissions to ensure that individuals who can provision keys are not the same individuals who can use the keys.