ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty SCS-C02 All Questions

View all questions & answers for the AWS Certified Security - Specialty SCS-C02 exam
Go to Exam

Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 205 discussion

Exam question from Amazon's AWS Certified Security - Specialty SCS-C02
Question #: 205
Topic #: 1
[All AWS Certified Security - Specialty SCS-C02 Questions]

A company has an AWS Key Management Service (AWS KMS) customer managed key with imported key material. Company policy requires all encryption keys to be rotated every year.

What should a security engineer do to meet this requirement for this customer managed key?

  • A. Enable automatic key rotation annually for the existing customer managed key.
  • B. Use the AWS CLI to create an AWS Lambda function to rotate the existing customer managed key annually.
  • C. Import new key material to the existing customer managed key. Manually rotate the key.
  • D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by mikelord at Oct. 4, 2024, 1:34 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
m_ch333
7 months, 2 weeks ago
Selected Answer: D
D. - you cannot enable automatic key rotation for a KMS key with imported key material - You can reimport the same key material, but you cannot import different key material into that KMS key https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-considerations.html
upvoted 2 times
...
IPLogic
8 months, 2 weeks ago
Selected Answer: D
The correct approach to meet the requirement of rotating the encryption key annually for a customer managed key with imported key material is: D. Create a new customer managed key. Import new key material to the new key. Point the key alias to the new key. Automatic key rotation is not supported for keys with imported key material. Therefore, you need to manually manage the rotation by creating a new key and updating the alias to point to the new key each year.
upvoted 2 times
IPLogic
8 months, 2 weeks ago
Option C (Import new key material to the existing customer managed key. Manually rotate the key) is not suitable because AWS KMS does not support re-importing key material into an existing key. Once key material is imported into a KMS key, it cannot be changed or re-imported. Therefore, the correct approach is to create a new customer managed key, import the new key material into this new key, and then update the key alias to point to the new key (Option D).
upvoted 1 times
...
...
723993f
8 months, 3 weeks ago
Selected Answer: C
c is the answer, d is unnecessary work kms cmk = metadata (id, other field) + imported material (crypto) thus kms cmk can continue to be as is with the same id, and we can import new material to it why not d - there is no mention of an alias being used, and no its not obvious, one must mention that an alias was created and being used by apps for D to be a viable solution
upvoted 1 times
molerowan
5 months, 1 week ago
Imported key material cannot be replaced in the same KMS key https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-considerations.html
upvoted 1 times
...
...
dhewa
10 months ago
Selected Answer: D
To comply with the policy of rotating encryption keys annually, the recommended approach is to create a new customer managed key, import new key material to this new key, and then update the key alias to point to the new key. This ensures that the key rotation is handled correctly and securely.
upvoted 2 times
...
imymoco
10 months ago
Why not C? I think C is correct. D is viable, but it hasmore operational overhead
upvoted 1 times
...
gkaself
10 months, 1 week ago
Selected Answer: D
Correct answer is D
upvoted 3 times
...
mikelord
10 months, 3 weeks ago
Selected Answer: D
Option D make more sense
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel