Table of Contents
Question
A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material. Company policy requires all encryption keys to be rotated every year. What should a security engineer do to meet this requirement for this customer managed key?
A. Enable automatic key rotation annually for the existing customer managed key.
B. Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually.
C. Import new key material to the existing customer managed key. Manually rotate the key.
D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
Answer
D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
Explanation
The correct answer is D.
AWS KMS allows you to rotate customer managed keys manually or automatically. Automatic key rotation is the recommended approach, as it ensures that your keys are rotated on a regular basis, even if you forget to do it manually.
To rotate a customer managed key manually, you must import new key material into the key and then manually rotate the key. This process is time-consuming and error-prone, and it does not guarantee that your keys will be rotated on a regular basis.
The best way to meet the company policy in this case is to create a new customer managed key, import new key material into the new key, and then point the key alias to the new key. This will ensure that the key is rotated on a regular basis and that your data is protected.
The other options are not as secure or as efficient. Option A would only rotate the key once a year, which is not in line with the company policy. Option B would require the security engineer to create and maintain an AWS Lambda function, which is a complex and time-consuming process. Option C would not rotate the key at all, as it would simply import new key material into the existing key.
Therefore, the correct answer is D.
Here are some additional details about rotating customer managed keys in AWS KMS:
- You can rotate customer managed keys using the AWS Management Console, the AWS CLI, or the AWS SDKs.
- When you rotate a customer managed key, the old key material is not deleted. This means that you can still use the old key material to decrypt data that was encrypted with the old key.
- You can rotate customer managed keys in batches. This can be useful if you have a large number of customer managed keys to rotate.
Reference
- Rotating AWS KMS keys – AWS Key Management Service (amazon.com)
- Rotating key material – AWS Key Management Service (amazon.com)
- Importing key material for AWS KMS keys – AWS Key Management Service (amazon.com)
- enable-key-rotation — AWS CLI 2.12.3 Command Reference (amazonaws.com)
- Key Rotation Enabled | Trend Micro
- Key policies in AWS KMS – AWS Key Management Service (amazon.com)
- KMS Key rotation | AWS re:Post (repost.aws)
- Manually rotate keys for customer managed KMS | AWS re:Post (repost.aws)
Amazon AWS Certified Security – Specialty certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty exam and earn Amazon AWS Certified Security – Specialty certification.