A company has a customer master key (CMK) with imported key materials. Company policy requires that all encryption keys must be rotated every year. What can be done to implement the above policy?
A.
Enable automatic key rotation annually for the CMK.
B.
Use AWS Command Line Interface to create an AWS Lambda function to rotate the existing CMK annually.
C.
Import new key material to the existing CMK and manually rotate the CMK.
D.
Create a new CMK, import new key material to it, and point the key alias to the new CMK.
One key per CMK
When you import key material into a CMK, the CMK is permanently associated with that key material. You can reimport the same key material, but you cannot import different key material into that CMK. Also, you cannot enable automatic key rotation for a CMK with imported key material. However, you can manually rotate a CMK with imported key material.
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
WRONG! "You must reimport the same key material that was originally imported into the CMK. You cannot import different key material into a CMK. "
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material
D is correct."You might prefer to rotate keys manually so you can control the rotation frequency. It's also a good solution for CMKs that are not eligible for automatic key rotation, such as asymmetric CMKs, CMKs in custom key stores and CMKs with imported key material.
Because the new CMK is a different resource from the current CMK, it has a different key ID and ARN. When you change CMKs, you need to update references to the CMK ID or ARN in your applications. Aliases, which associate a friendly name with a CMK, make this process easier. Use an alias to refer to a CMK in your applications. Then, when you want to change the CMK that the application uses, change the target CMK of the alias.
To update the target CMK of an alias, use UpdateAlias operation in the AWS KMS API. " -https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
Same question at;
https://www.examtopics.com/discussions/amazon/view/4038-exam-aws-certified-security-specialty-topic-1-question-12/
...
and answer over there was D as well
"You cannot import different key material into the KMS key..."
So C is out.
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html
As of 2023, the answers for this questions are outdated,
Both A and D would be valid answers
A Reasoning: AWS rotates kms keys every year(365 days) https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
D: Rotating the key yourself is always an option which can be done at any frequency level that matches your orgnaizations needs. For isntance an key can be rotated every week, every month every year and so forth.
You might prefer to rotate keys manually so you can control the rotation frequency. It's also a good solution for KMS keys that are not eligible for automatic key rotation, such as asymmetric KMS keys, HMAC KMS keys in custom key stores and KMS keys with imported key material.
Because the new KMS key is a different resource from the current KMS key, it has a different key ID and ARN. When you change KMS keys, you need to update references to the KMS key ID or ARN in your applications. Aliases, which associate a friendly name with a KMS key, make this process easier. Use an alias to refer to a KMS key in your applications. Then, when you want to change the KMS key that the application uses, change the target KMS key of the alias. For details, see Using aliases in your applications.
D is the correct answer.
For me the catch is that question says imported key material which means you can’t enable automatic rotation
Which makes A incorrect
B is not correct, neither is C as you can’t import same key material so the answer is
D.
“you cannot enable automatic key rotation for a KMS key with imported key material. However, you can manually rotate a KMS key with imported key material”
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
D
When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new key material for the CMK every year. AWS KMS also saves the CMK's older key material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
BillyC
Highly Voted 3 years, 9 months agoRonaldDruck
3 years, 9 months agoHACKY1336
3 years, 8 months agoRtwoDtwo
3 years, 8 months agoviral65
Highly Voted 3 years, 9 months agoRaphaello
Most Recent 1 year, 4 months agoyorkicurke
1 year, 6 months agoBenah
1 year, 9 months agoSickcnt
2 years agoSickcnt
2 years agomrMeatChill
2 years agosapien45
2 years, 11 months agoKurp
3 years agoremyy
3 years, 1 month agoRaySmith
3 years, 4 months agoKaliKing
3 years, 5 months agojj22222
3 years, 6 months agoNSF2
3 years, 8 months agoTollaMS
3 years, 8 months agoMikeclue
3 years, 8 months agosanjaym
3 years, 8 months ago