Exam AWS Certified Security - Specialty topic 1 question 184 discussion

C. The original wrapping key and import token expires after 24 hours. The question doesn't give us a timeframe, so we should assume that generating a new wrapping key and import token is the safer option. Then reimport the original key material and you will be good to go.

C. Correct.

C is the correct answer. For the existing KMS key, as long as the original "PLAINTEXT" key material is available, you can download a new wrapping key and a new import token, and import the original key material into the existing KMS key.

Download a new wrapping key and a new import token. Import the original key material into the existing CMK. Explanation: Download a New Wrapping Key and Import Token: Request a new wrapping key and a new import token from AWS Key Management Service (KMS). These are needed to securely import the key material. Import the Original Key Material into the Existing CMK: Use the newly obtained wrapping key and import token to import the original key material back into the existing CMK. Why Option C is Correct: This option allows the Security Engineer to obtain fresh components (wrapping key and import token) for the import process. Importing the original key material into the existing CMK ensures that the restored key material has the same key ID and other properties as the original material.

The link already pinned below.

You must download a new public key and import token for each import operation. You can use the same or a different wrapping algorithm for each import operation on a KMS key.

https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material

Each time you import key material to a KMS key, you need to download and use a new wrapping key and import token for the KMS key. The wrapping procedure does not affect the content of the key material, so you can use different wrapping keys (and different import tokens) to import the same key material. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material

C : https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material .. New wrapping key and import token on the existing CMK

When you manually delete imported key material, AWS KMS deletes the key material but does not delete the KMS key or its metadata. No need to create another key here. C should be the answer.

C is the answer. "Each time you import key material to a KMS key, you need to download and use a new wrapping key and import token for the KMS key" Reference: From 'How to reimport key material' section in this link: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material

C for full house

C is correct here Each time you import key material to a CMK, you need to download and use a new wrapping key and import token for the CMK. The wrapping procedure does not affect the content of the key material, so you can use different wrapping keys (and different import tokens) to import the same key material.

https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-recover-backing-key