Question
A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material. Company policy requires all encryption keys to be rotated every year.
What should a security engineer do to meet this requirement for this customer managed key?
A. Enable automatic key rotation annually for the existing customer managed key.
B. Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually.
C. Import new key material to the existing customer managed key. Manually rotate the key.
D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
Answer
D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
Explanation 1
To meet the company policy requirement of rotating the AWS KMS customer managed key with imported key material, the security engineer should import new key material to the existing key and manually rotate the key.
Explanation:
- AWS KMS is a managed service that makes it easy to create and control the encryption keys used to encrypt data. Customer managed keys allow customers to import their own key material into AWS KMS and have complete control over the key lifecycle.
- Company policy requires all encryption keys to be rotated every year. Rotating a key involves creating a new key and using it for new encryption, while still allowing the old key to be used for decryption of already encrypted data.
- For a customer managed key with imported key material, AWS KMS does not support automatic key rotation. The security engineer must rotate the key manually.
- To rotate the key, the security engineer should import new key material to the existing key. This key material should have the same key length and algorithm as the existing key. The new key material should be used to encrypt new data going forward.
- The security engineer should then manually rotate the key by re-encrypting all existing data with the new key material and then deleting the previous key material.
- Creating a new customer managed key and importing new key material to the new key is not recommended as it would require updating all applications and services that use the previous key. This would be a complex and time-consuming process.
Explanation 2
The correct answer is D.
AWS KMS allows you to rotate customer managed keys manually or automatically. Automatic key rotation is the recommended approach, as it ensures that your keys are rotated on a regular basis, even if you forget to do it manually.
To rotate a customer managed key manually, you must import new key material into the key and then manually rotate the key. This process is time-consuming and error-prone, and it does not guarantee that your keys will be rotated on a regular basis.
The best way to meet the company policy in this case is to create a new customer managed key, import new key material into the new key, and then point the key alias to the new key. This will ensure that the key is rotated on a regular basis and that your data is protected.
The other options are not as secure or as efficient. Option A would only rotate the key once a year, which is not in line with the company policy. Option B would require the security engineer to create and maintain an AWS Lambda function, which is a complex and time-consuming process. Option C would not rotate the key at all, as it would simply import new key material into the existing key.
Therefore, the correct answer is D.
Here are some additional details about rotating customer managed keys in AWS KMS:
- You can rotate customer managed keys using the AWS Management Console, the AWS CLI, or the AWS SDKs.
- When you rotate a customer managed key, the old key material is not deleted. This means that you can still use the old key material to decrypt data that was encrypted with the old key.
- You can rotate customer managed keys in batches. This can be useful if you have a large number of customer managed keys to rotate.
Explanation 3
To meet the company policy that requires all encryption keys to be rotated every year for an existing AWS KMS customer managed key with imported key material, a security engineer should import new key material to the existing customer managed key and manually rotate the key. This is because AWS KMS does not support automatic key rotation for customer managed keys with imported key material. The process involves generating new key material, importing it to the existing key, and updating all encrypted resources to use the new key. Creating a new customer managed key and importing new key material to the new key is an option but is not necessary in this scenario.
Explanation 4
The correct answer is D.
AWS KMS allows you to rotate customer managed keys either manually or automatically. Manual rotation involves importing new key material into the existing key and then pointing the key alias to the new key material. Automatic rotation involves setting a schedule for AWS KMS to rotate the key material for you.
In this case, the company policy requires all encryption keys to be rotated every year. Therefore, the security engineer should create a new customer managed key, import new key material into the new key, and then point the key alias to the new key. This will ensure that the key material is rotated every year, as required by company policy.
The other options are incorrect. Option A would not meet the company policy, because it would not rotate the key material every year. Option B would require the security engineer to create an AWS Lambda function, which is a more complex solution than simply creating a new key. Option C would only rotate the key material for the existing key, but it would not meet the company policy, because it would not create a new key.
Therefore, the correct answer is D.
Here are the steps on how to rotate a customer managed key in AWS KMS:
- Create a new customer managed key.
- Import new key material into the new key.
- Point the key alias to the new key.
- Delete the old key.
Once these steps are complete, the key material for the customer managed key will be rotated, and the company policy will be met.
Explanation 5
The correct answer is D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
The explanation is as follows:
- Option A is incorrect because AWS KMS does not support automatic key rotation for customer managed keys with imported key material.
- Option B is incorrect because AWS KMS does not provide an API to rotate customer managed keys with imported key material. A Lambda function cannot perform this task.
- Option C is incorrect because importing new key material to the existing customer managed key does not change the key ID or ARN of the key. This means that any applications or aliases that refer to the old key ID or ARN will still use the old key material, which violates the company policy.
- Option D is correct because creating a new customer managed key and importing new key material to it will generate a new key ID and ARN. Pointing the key alias to the new key will ensure that any applications or aliases that use the alias will use the new key material. This meets the company policy of rotating encryption keys every year.
Explanation 6
The correct answer is D.
AWS KMS customer managed keys can be rotated either manually or automatically. To rotate a customer managed key manually, you must import new key material and then point the key alias to the new key.
To meet the company’s policy of rotating all encryption keys every year, the security engineer should do the following:
- Create a new customer managed key.
- Import new key material to the new key.
- Point the key alias to the new key.
The old customer managed key will still be available, but it will no longer be used for encryption.
The other options do not meet the company’s policy. Option A would rotate the existing customer managed key automatically, but this would not meet the company’s requirement of rotating all encryption keys every year. Option B would create an AWS Lambda function to rotate the existing customer managed key, but this would be a manual process and would not meet the company’s requirement of rotating all encryption keys every year. Option C would import new key material to the existing customer managed key, but this would not rotate the key.
Therefore, the correct answer is D.
Here are some additional details about rotating AWS KMS customer managed keys:
- You can rotate customer managed keys using the AWS Management Console, the AWS CLI, or the AWS SDKs.
- When you rotate a customer managed key, the old key material is still available for a period of time, so that you can decrypt any data that was encrypted with the old key.
- You can rotate customer managed keys as often as you want.
Explanation 7
To meet the company policy of rotating all encryption keys every year, a security engineer should enable automatic key rotation annually for the existing customer managed key. This can be done by using the AWS Management Console or AWS CLI. When a KMS key is rotated, a new HBK is created and marked as the current version of the key material for all new encrypt requests.
Option A is correct. Option B is incorrect because it requires creating an AWS Lambda function to rotate the existing customer managed key annually which is not necessary since AWS KMS provides automatic key rotation. Option C is incorrect because it requires manually rotating the key which is not efficient and can be prone to errors. Option D is incorrect because it requires creating a new customer managed key which is not necessary since AWS KMS provides automatic key rotation.
Explanation 8
To meet the company policy of rotating all encryption keys every year, a security engineer should enable automatic key rotation annually for the existing customer managed key. When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK’s older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK.
Explanation 9
Based on my research, the correct answer to your question is D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
According to the AWS documentation, you can create a customer managed key with key material that you supply. This is also known as “bring your own key” (BYOK). When you use imported key material, you remain responsible for the key material while allowing AWS KMS to use a copy of it.
To rotate a customer managed key with imported key material, you cannot use automatic key rotation. Automatic key rotation is only available for customer managed keys with key material generated by AWS KMS.
You also cannot use AWS CLI or AWS Lambda to rotate the existing customer managed key. AWS KMS does not provide an API operation to rotate a customer managed key with imported key material.
The only way to rotate a customer managed key with imported key material is to create a new customer managed key and import new key material to it. You can then point the existing key alias to the new customer managed key. This way, you can use the same alias for encryption and decryption operations, but with different underlying keys.
The other options are incorrect because:
- A. Automatic key rotation is not supported for customer managed keys with imported key material.
- B. AWS CLI or AWS Lambda cannot rotate the existing customer managed key with imported key material.
- C. Importing new key material to the existing customer managed key is not possible. You can only import the same key material into a customer managed key.
Explanation 10
The correct answer is D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
Here’s why:
A. AWS KMS does not support automatic key rotation for customer managed keys with imported key material. Automatic key rotation is only available for AWS managed keys and customer managed keys (CMKs) where AWS generates the key material.
B. AWS CLI or AWS Lambda cannot be used to rotate the key material of an existing customer managed key. AWS KMS does not provide an API to change the key material of an existing CMK.
C. AWS KMS does not allow you to import new key material to an existing customer managed key. Once a CMK is created, its key material cannot be changed.
D. The only way to rotate the key material for a customer managed key with imported key material is to create a new CMK, import the new key material to the new CMK, and then change the key alias to point to the new CMK. This effectively “rotates” the key material by replacing the old CMK with a new one. This method requires manual intervention and careful management to ensure that the old key is properly retired and the new key is correctly used in all necessary places.
Explanation 11
To meet the requirement of rotating the AWS Key Management Service (AWS KMS) customer managed key with imported key material every year, the appropriate action for the security engineer is:
Option C: Import new key material to the existing customer managed key and manually rotate the key.
Here’s a detailed explanation of why this option is the correct choice:
AWS KMS allows you to create and manage customer managed keys, giving you control over the lifecycle of the encryption keys used to protect your data. When using imported key material, which is material that you bring to AWS KMS encrypted under your own key, you are responsible for managing the rotation of the key material.
Option A (enabling automatic key rotation) is not suitable for this scenario because automatic key rotation is only available for AWS KMS keys generated by AWS KMS itself, not for customer managed keys with imported key material.
Option B (using AWS CLI and Lambda function) is not the recommended approach for key rotation in this case. While you can use AWS Lambda to automate certain tasks, such as triggering key rotation, it is not necessary for this scenario. Manually rotating the key would be a simpler and more straightforward approach.
Option D (creating a new key and importing new key material) is not the best choice because it involves creating a new key and updating the key alias. This would require updating all references to the old key and re-encrypting any data that was previously encrypted with the old key. It is unnecessary complexity for key rotation and may disrupt the existing data encryption process.
Therefore, option C is the most appropriate solution. The security engineer should import new key material to the existing customer managed key and manually rotate the key. This involves generating new key material outside of AWS KMS, encrypting it under the existing key, and importing the new encrypted key material into AWS KMS. The security engineer can then securely rotate the key by following the company’s established procedures for key rotation. This ensures compliance with the company policy of rotating encryption keys annually without the need to create a new key or update key references.
Reference
- Rotating AWS KMS keys – AWS Key Management Service (amazon.com)
- Rotating key material – AWS Key Management Service (amazon.com)
- Importing key material for AWS KMS keys – AWS Key Management Service (amazon.com)
- enable-key-rotation — AWS CLI 2.12.3 Command Reference (amazonaws.com)
- Key Rotation Enabled | Trend Micro
- Key policies in AWS KMS – AWS Key Management Service (amazon.com)
- KMS Key rotation | AWS re:Post (repost.aws)
- Manually rotate keys for customer managed KMS | AWS re:Post (repost.aws)
Amazon AWS Certified Security – Specialty certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty exam and earn Amazon AWS Certified Security – Specialty certification.
