Table of Contents
Question
A company decides to use AWS Key Management Service (AWS KMS) for data encryption operations. The company must create a KMS key and automate the rotation of the key. The company also needs the ability to deactivate the key and schedule the key for deletion. Which solution will meet these requirements?
A. Create an asymmetric customer managed KMS key. Enable automatic key rotation.
B. Create a symmetric customer managed KMS key. Disable the envelope encryption option.
C. Create a symmetric customer managed KMS key. Enable automatic key rotation.
D. Create an asymmetric customer managed KMS key. Disable the envelope encryption option.
Answer
C. Create a symmetric customer managed KMS key. Enable automatic key rotation.
Explanation
The correct answer is C. Create a symmetric customer managed KMS key. Enable automatic key rotation.
Here is a detailed explanation:
A symmetric customer managed KMS key is a key that uses the same secret key for encryption and decryption operations, and that is created and managed by the customer.
Enabling automatic key rotation means that AWS KMS will generate new cryptographic material for the KMS key every year, and save all previous versions of the key material so that they can be used to decrypt any data encrypted with them.
Disabling the envelope encryption option means that AWS KMS will not use a data key to encrypt the data, but instead use the KMS key directly. This option is not relevant for the question, as it does not affect the rotation of the KMS key itself.
An asymmetric customer managed KMS key is a key that uses a public and private key pair for encryption and decryption operations, and that is created and managed by the customer. AWS KMS does not support automatic key rotation for asymmetric keys, so this option is not valid.
Therefore, option C is the only one that meets all the requirements of the question. Option A and D are incorrect because they use asymmetric keys, which do not support automatic key rotation. Option B is incorrect because it does not enable automatic key rotation, which is one of the requirements.
Reference
- FAQs | AWS Key Management Service (KMS) | Amazon Web Services (AWS)
- Rotating AWS KMS keys – AWS Key Management Service (amazon.com)
- Rotating key material – AWS Key Management Service (amazon.com)
- KMS Key rotation | AWS re:Post (repost.aws)
- amazon web services – How exactly does encryption key rotation work? – Stack Overflow
- Enabling and disabling keys – AWS Key Management Service (amazon.com)
- AWS::KMS::Key – AWS CloudFormation (amazon.com)
Amazon AWS Certified Security – Specialty certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty exam and earn Amazon AWS Certified Security – Specialty certification.