ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 191 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 191
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has a compliance requirement to rotate its encryption keys on an annual basis. A Security Engineer needs a process to rotate the KMS Customer
Master Keys (CMKs) that were created using imported key material.
How can the Engineer perform the key rotation process MOST efficiently?

  • A. Create a new CMK, and redirect the existing Key Alias to the new CMK.
  • B. Select the option to auto-rotate the key.
  • C. Upload new key material into the existing CMK.
  • D. Create a new CMK, and change the application to point to the new CMK.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by DayQuil at March 12, 2021, 10:41 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DayQuil
Highly Voted 3 years, 9 months ago
A. The wording is weird, but if you use key aliases then no changes should be needed on the application side. More accurate wording for option A should've been "delete the old alias and create a new one with the same name for the new CMK".
upvoted 16 times
sapien45
2 years, 10 months ago
Answer correct is reasoning is wrong. You do not need to recreate aliases, that is the whole point of the question.
upvoted 1 times
...
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: A
A is the correct answer.
upvoted 1 times
...
Senthil_SPM
1 year, 9 months ago
Selected Answer: D
D. Because option A doesn't rotate the key material itself; it only changes the alias reference.
upvoted 1 times
...
BlissfulCheetah
2 years ago
A. B is not the answer because "You cannot automatically rotate asymmetric KMS keys, HMAC KMS keys, KMS keys with imported key material, or KMS keys in custom key stores. However, you can rotate them manually." https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 1 times
...
samCarson
2 years ago
Selected Answer: A
Option A & D could be a valid solution but Option A (redirecting the existing Key Alias to the new CMK) is more efficient. Note that KMS keys with imported key material could only be rotated manually. Ref: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
If you need to rotate a CMK that uses external key material, you must create a new CMK and then point to the alias to the new key.
upvoted 1 times
...
Kezuko
2 years, 2 months ago
Selected Answer: B
Wouldn't the answer be B since auto rotation is now available for KMS CMK? https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
upvoted 3 times
...
arpgaur
2 years, 5 months ago
A is not correct because it would not actually rotate the key, it would only redirect the existing Key Alias to the new CMK. This would not change the key material that is being used to encrypt the data and would not meet the compliance requirement to rotate the keys on an annual basis. The correct option would be D. Create a new CMK, and change the application to point to the new CMK. This would involve creating a new CMK and updating the application to use the new key for encryption. This process replaces the old key with the new key and ensures the key rotation requirement is met.
upvoted 1 times
...
ConJdeRumba
2 years, 5 months ago
Selected Answer: A
as someone said before, change the application is not efficient
upvoted 1 times
...
sakibmas
2 years, 6 months ago
Selected Answer: A
D - change the application not efficient
upvoted 1 times
...
lotfi50
3 years ago
Selected Answer: A
A. is good answer
upvoted 1 times
...
leu_alves_sch
3 years, 5 months ago
Why not C? Can't we just import a new key material? "When you import key material, you can optionally specify a time at which the key material expires. When the key material expires, AWS KMS deletes the key material and the KMS key becomes unusable. To use the KMS key again, you must reimport key material." https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html
upvoted 1 times
Sowmyarajaram
3 years, 2 months ago
You cannot import new Key material into same CMK. Only same key material can be imported again. By importing same key material into the CMK, you can extend the expiry date. But this will make the key essentially the same key, so no rotation happened. To rotate, we need to import key material into new CMK and point the alias to the new CMK.
upvoted 4 times
...
ccieman2016
3 years, 3 months ago
C is prossibble too, but need additional adjust in application side. Questions say "optimize" process, this case, C was drop. only letter A there.
upvoted 1 times
...
...
zdd
3 years, 6 months ago
A. Application No needed operation using new key
upvoted 1 times
...
sanjaym
3 years, 8 months ago
"A" without doubt.
upvoted 4 times
...
Huy
3 years, 8 months ago
With imported key material A is the answer. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-considerations
upvoted 3 times
...
cldy
3 years, 8 months ago
A. No application change needed with alias.
upvoted 4 times
...
JAWS1600
3 years, 8 months ago
A - It should have said "update" instead of "redirect" . That is official word from AWS. https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel