ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 468 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 468
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material. Company policy requires all encryption keys to be rotated every year.

What should a security engineer do to meet this requirement for this customer managed key?

  • A. Enable automatic key rotation annually for the existing customer managed key.
  • B. Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually.
  • C. Import new key material to the existing customer managed key. Manually rotate the key.
  • D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by workatpace at May 30, 2023, 1:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
6_8ftwin
2 years, 1 month ago
D You cannot import different key material into a KMS key. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
upvoted 2 times
...
cloudenthusiast
2 years, 1 month ago
Selected Answer: D
Since the company policy requires all encryption keys to be rotated every year, the security engineer should create a new customer managed key, import new key material to the new key, and then update the key alias to point to the new key. This approach ensures that the key is effectively rotated and aligns with the policy requirement. By creating a new key and importing new key material, the security engineer maintains compliance with the policy while also ensuring a seamless transition for the systems that rely on the key.
upvoted 3 times
...
sunny1417
2 years, 1 month ago
Selected Answer: D
D is correct. Refer to Question 12, its similar.
upvoted 4 times
...
Shely
2 years, 1 month ago
Selected Answer: C
You might decide to create a new KMS key and use it in place of the original KMS key. This has the same effect as rotating the key material in an existing KMS key, so it's often thought of as manually rotating the key. Manual rotation is a good choice when you want to control the key rotation schedule. It also provides a way to rotate KMS keys that are not eligible for automatic key rotation, including asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material. https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 1 times
francinetanzx
2 years ago
When you import key material into a KMS key, the KMS key is permanently associated with that key material. You can reimport the same key material, but you cannot import different key material into that KMS key. You cannot rotate the key material and AWS KMS cannot create key material for a KMS key with imported key material. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-managing.html
upvoted 2 times
...
...
workatpace
2 years, 1 month ago
answer is A
upvoted 3 times
Tofu13
2 years ago
A ist not possible: "You might prefer to rotate keys manually so you can control the rotation frequency. It's also a good solution for KMS keys that are not eligible for automatic key rotation, such as asymmetric KMS keys, HMAC KMS keys, KMS keys in custom key stores, and KMS keys with imported key material." https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
upvoted 2 times
Tofu13
2 years ago
Basically u have to remember: Customer managed key with imported key material: Automatic rotation not possible Customer managed key without imported key material: Automatic rotation possible ( once a year) AWS managed key: Automatic rotation mandatory (once a year) AWS owned key: Mind your own business
upvoted 4 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel