Exam AWS Certified Security - Specialty topic 1 question 241 discussion

B. Only feasible one ...

Answer- B. This require a new CMK as if it is a manual key rotation. For decryption of old key, AWS KMS can automatically identify which key to use as long as the old key is not disabled. "When you begin using the new CMK, be sure to keep the original CMK enabled so that AWS KMS can decrypt data that the original CMK encrypted. When decrypting data, KMS identifies the CMK that was used to encrypt the data, and it uses the same CMK to decrypt the data. As long as you keep both the original and new CMKs enabled, AWS KMS can decrypt any data that was encrypted by either CMK." https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually A, C - AWS Managed KMS cannot enable annual key rotation. D - Key grant is not used for referencing to old key. https://docs.aws.amazon.com/kms/latest/developerguide/grants.html

I believe that B is correct.

This is a wrong question. 2 options out of 4 about "creating new AWS managed key" and enable key rotation, knowing that we cannot managed any aspect of AWS managed keys, including their lifecycle. https://docs.aws.amazon.com/kms/latest/cryptographic-details/basic-concepts.html The other 2 options includes "update the application" which clearly contradicts with the requirements in the question of "not making changes to the application". Initially, I picked C because using key alias means no changes to the application during key rotations. Then noticed it is "AWS MANAGED" key, which we cannot control its lifecycle. Botched question. Lots of discussions for a very bad question. Not worth it.

C is the correct answer. The benefit of KMS key alias, and what changes at annual key rotation (only key material).

if you watch the YT video at specified time[8:00], you can see that option for 'Key Rotation' is greyed out. so you can NOT modify the existing one to change it's time, hence C. https://youtu.be/GXOhDJ9jmjU?feature=shared&t=480

You cannot just create a bunch of AWS managed keys. AWS managed keys are created by AWS services that need them. For example, S3 would create an AWS managed key for S3 usage, same goes for other services like SNS, SQS, DynamoDb etc. In this case u got to go with the customer managed keys.

C my choice...

No app changes, keys can now be rotated yearly.

There is something I don't understand, in all the answers you have to modify the application since if you create a new CMK key with a new alias, you have to modify the code. In answer B it says "Update the application's encryption library to use a new key ID for all encryption operations" which already implies a modification to the application, since one of the keys in the question is that: "be enabled for the key without making changes to the application". You have to modify the configuration so that the library uses in the new keyid, but you also have to modify the application so that if the data was encrypted with the old key, it can decrypt it. In answer C the application is not modified because it would only be changing the configuration to be used in the new alias, but the old data could not be decrypted. I think none of them is 100% correct Translated with www.DeepL.com/Translator (free version)

C. AWS managed key rotate annually https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html

It is AWS KMS not AWS KMS CMK

https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKeyRotation.html You cannot enable or disable automatic rotation for AWS managed KMS keys.

B. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key. By enabling automatic annual key rotation for the existing customer managed CMKs, the security engineer ensures that the encryption keys are rotated annually. They should then update the application encryption library to use a new key ID for all encryption operations going forward. However, to ensure compatibility with previously encrypted data, the application should also have the ability to fall back to the old key ID for decrypting data that was encrypted with previous versions of the key.

The correct answer is: B. Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key. This is the correct answer because it meets all the requirements. AWS KMS supports automatic key rotation for customer-managed CMKs. When you enable automatic key rotation for a CMK, AWS KMS generates new cryptographic material for the CMK every year. The old cryptographic material remains available to decrypt data that it was used to encrypt. Furthermore, your application does not need to be changed to use the new cryptographic material because the CMK's key ID or alias does not change.

option B: Enable automatic annual key rotation for the existing customer managed CMKs. Update the application encryption library to use a new key ID for all encryption operations. Fall back to the old key ID to decrypt data that was encrypted with previous versions of the key.

Option B is the correct approach to enable annual global key rotation for the key without making changes to the application. Option A is incorrect because creating new AWS managed keys and aliases will require changes to the application, which is not acceptable as per the requirements mentioned in the question. Option C is also incorrect because creating new AWS managed CMKs and aliases will require changes to the application, which is not acceptable as per the requirements mentioned in the question. Option D is incorrect because creating key grants and updating the code to point to the ARN of the grants will also require changes to the application, which is not acceptable as per the requirements mentioned in the question. Therefore, Option B is the best approach to enable annual global key rotation for the existing customer-managed CMKs, without making changes to the application. This option enables automatic key rotation for the existing CMKs, updates the application encryption library to use a new key ID for all encryption operations, and falls back to the old key ID to decrypt data that was encrypted with previous versions of the key.