Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 114 discussion

Should be D

D is correct. Yes. You can choose to have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within AWS KMS HSMs. Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature. If you choose to import keys to AWS KMS or asymmetric keys or use a custom key store, you can manually rotate them by creating a new CMK and mapping an existing key alias from the old CMK to the new CMK. https://aws.amazon.com/kms/faqs/#:~:text=Yes.,KMS%20custom%20key%20store%20feature.

D - Correct. KMS generates and manages encryption keys. B - Incorrect. Secret Manager is used to store credentials / passwords, etc (can use KMS to encrypt the credentials). https://aws.amazon.com/secrets-manager/ https://docs.aws.amazon.com/kms/latest/developerguide/overview.html https://acloudguru.com/forums/aws-certified-cloud-practitioner/key-management-service-kms-vs-secrets-manager

B Where should critical material be housed means stored. So AWS Secrets Manager

B Where should critical material be housed means stored, so AWS Secrets Manager

B I think the question is about Where should critical material be housed not the features of Key services.

Answer is B. AWS Secrets Manager enables you to easily rotate...

AWS Secrets Manager • Newer service, meant for storing secrets • Capability to force rotation of secrets every X days • Automate generation of secrets on rotation (uses Lambda) • Integration with Amazon RDS (MySQL, PostgreSQL, Aurora) • Secrets are encrypted using KMS

Secrets Manager stores the encrypted data key with the protected secret data. Whenever the secret needs decryption, Secrets Manager requests AWS KMS to decrypt the data key, which Secrets Manager then uses to decrypt the protected secret data.

Should be B: Secrets Manager Secrets Manager is used to store secrets including credentials and keys (Other types of secrets) https://miro.medium.com/max/2400/1*iHF6qkdIwmr4mGKHb4HHCg.png

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. https://aws.amazon.com/secrets-manager/ B

100% is D A and C are wrong for sure B is for API keys as per link https://aws.amazon.com/secrets-manager/

KMS is needed for cloudhsm D for sure

Ans = D KMS permits key rotation

DDDDDDDDDDDDDDDDDDDDD

B right

Apologies for the wrong post above, I meant to say following statement on the below link compelled me to go for ANSWER B https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html Secrets Manager integrates with AWS Key Management Service (AWS KMS) to encrypt every version of every secret with a unique data key that is protected by an AWS KMS customer master key (CMK).