An organizational must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations. Which of the following actions will address this requirement?
A.
Manually rotate a key within KMS to create a new CMK immediately.
B.
Use the KMS import key functionality to execute a delete key operation.
C.
Use the schedule key deletion function within KMS to specify the minimum wait period for deletion.
D.
Change the KMS CMK alias to immediately prevent any services from using the CMK.
I beleve B is the answer as well.
From:
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
"When you use imported key material, you remain responsible for the key material while allowing AWS KMS to use a copy of it. You might choose to do this for one or more of the following reasons:
* - To set an expiration time for the key material in AWS and to manually delete it, but to also make it available again in the future. In contrast, scheduling key deletion requires a waiting period of 7 to 30 days, after which you cannot recover the deleted CMK."
This would be the only way to "delete" a key earlier than 7 days.
Need to observe that it says 24 hours which means C. For option B you can set your own time but it explicitly says 24 hours which means option C is right.
I am sorry not C. B is right. It says " However, the actual waiting period might be up to 24 hours longer than the one you scheduled. " for C which means you cannot delete the key within 24 hours.
The ans is B
Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.
The most valable answer is C.
As mentioned in the AWS documentation below :
Along with disabling the KMS key and withdrawing permissions, deleting key material can be used as a strategy to quickly, but temporarily, halt the use of the KMS key. In contrast, scheduling the deletion of a KMS key with imported key material also quickly halts the use of the KMS key. However, if the deletion is not canceled during the waiting period, the KMS key, the key material, and all key metadata are permanently deleted. For details, see Deleting a KMS key with imported key material.
for further information, browse this link
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-managing.html#importing-keys-delete-key-material
B. Use the KMS import key functionality to execute a delete key operation.
When you use KMS CMK with Import Key material, you are in total control of deleting the KM. KMS CMK will not be used for enc/decryption once its imported KM is deleted.
B
You can delete imported key material from a KMS key, immediately rendering the KMS key unusable.
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
Option A and option B will make the key unavailable right away and the question asks to wait a 24 hours period. Option C is the one that address best the requirement.
B
You can delete imported key material from a KMS key, immediately rendering the KMS key unusable.
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
A - wrong , agree with other comments
D - wrong , agree with other comments
B - wrong - you cannot delete a key from import key functionality. symmetric doesn't support import key.
C - Correct - Although key will be deleted in 7-30 days, it immediately stops encrypt/decrypt operations . As CMK is symmetric key so it is immediately affecting on all encrypt/decrypt operations.
B is the better answer
Being able to be deleted/removed (key material) at any time (within 24 hours) is part of the functionality provided by the import key only. KMS key is not deleted yet. Its deletion still requires scheduling, however, only the one who has the original key material is able to reenable it by reimporting the same key material. (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html) -- well, the asymmetric key doesn't support import key.
Answer C satisfied the first half of the requirement, but it does not satisfy the second half.
Not able to decide between B and C
B: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html
C: https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Lucky4awhile
Highly Voted 3 years, 6 months agoSAI_RAJU
2 years, 9 months agoSAI_RAJU
2 years, 9 months agoHieuTT
2 years, 6 months agosanjaym
Highly Voted 3 years, 6 months agoRaphaello
Most Recent 1 year, 2 months agoanhtu133
1 year, 5 months agoLennl
1 year, 8 months agoNuha_23
1 year, 8 months agoITGURU51
2 years agotobedeleted
2 years, 5 months ago[Removed]
2 years, 6 months agodcasabona
2 years, 8 months agosapien45
2 years, 9 months agoManikandan997
2 years, 11 months agoShortRound
2 years, 11 months agonsvijay04b1
3 years, 1 month agoTigerInTheCloud
3 years agoRaySmith
3 years, 2 months agojj22222
3 years, 4 months agokhamrumunnu
3 years, 4 months ago