exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam

Exam AWS Certified Security - Specialty topic 1 question 101 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 101
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A Security Engineer is implementing a solution to allow users to seamlessly encrypt Amazon S3 objects without having to touch the keys directly. The solution must be highly scalable without requiring continual management. Additionally, the organization must be able to immediately delete the encryption keys.
Which solution meets these requirements?

  • A. Use AWS KMS with AWS managed keys and the ScheduleKeyDeletion API with a PendingWindowInDays set to 0 to remove the keys if necessary.
  • B. Use KMS with AWS imported key material and then use the DeletelmportedKeyMaterial API to remove the key material if necessary.
  • C. Use AWS CloudHSM to store the keys and then use the CloudHSM API or the PKCS11 library to delete the keys if necessary.
  • D. Use the Systems Manager Parameter Store to store the keys and then use the service API operations to delete the key if necessary.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
duduga40
Highly Voted 3 years, 9 months ago
B, is right?
upvoted 18 times
sapien45
2 years, 11 months ago
How about doing some research and proving your points, rather than playing bingo ? https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html You can delete the imported key material from a KMS key at any time. Also, when imported key material with an expiration date expires, AWS KMS deletes the key material. In either case, AWS KMS deletes the key material immediately, the key state of the KMS key changes to pending import, and the KMS key can't be used in any cryptographic operations.
upvoted 11 times
...
...
rhinozD
Highly Voted 3 years, 8 months ago
B should be the answer. How C could be the answer when the question says: "The solution must be highly scalable without requiring continual management." Even you can use CloudHSM as a custom key store, you still have to manage it, right?
upvoted 5 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: B
Imported key material gives you the ability to expire the key the time you want. Correct answer is B.
upvoted 2 times
...
ITGURU51
2 years, 1 month ago
When using a CMK with imported key material, you can delete the imported key material immediately. This is different from deleting a CMK directly in several ways. When you perform the DeleteImportedKeyMaterial action, AWS KMS deletes the key material and the CMK key state changes to pending import. When the key material is deleted, the CMK is immediately unusable. There is no waiting period. To enable use of the CMK again, you must reimport the same key material. Deleting key material affects the CMK right away, but data encryption keys that are actively in use by AWS services are not immediately affected. Source: https://d0.awsstatic.com/whitepapers/aws-kms-best-practices.pdf
upvoted 1 times
...
dan80
2 years, 3 months ago
Selected Answer: B
You can only schedule the deletion of a customer managed key. You cannot delete AWS managed keys or AWS owned keys.
upvoted 3 times
...
exam67
2 years, 6 months ago
Should be "B", but how do you read "AWS imported key material" in the answer? AWS imports the key material? That does not sound correct
upvoted 2 times
...
sapien45
2 years, 10 months ago
Selected Answer: B
Immediatly Deleting the KMS keys and immediatly deleting the keys mateiral are two different things
upvoted 2 times
...
Kaloda
2 years, 10 months ago
key-words, "extremely scalable, and self-managing" imported key material, manual process and not extremely scalable. https://aws.amazon.com/cloudhsm/features/ "C"
upvoted 3 times
...
ideoignus
3 years, 4 months ago
Selected Answer: B
It is B
upvoted 4 times
...
Radhaghosh
3 years, 5 months ago
Option B is correct Option A. Invalid, wait time 7-30 days. No option to set 0 Option B. Valid Option. Deleting Imported Key will change the Key Status to pending. Option C. Possible but not user friendly/Optimal (too much work) Option D. This is not the purpose of Systems Manager Parameter Store
upvoted 4 times
...
sam_live
3 years, 5 months ago
how about the phrase in question "without touching the keys directly"? if you use imported key materials then someone has to generate keys manually and upload into the CMK. The answer should be C.
upvoted 1 times
Radhaghosh
3 years, 5 months ago
Do you feel this is a scalable option? Do CloudHSM has API? I know it has Console and SDK.
upvoted 1 times
...
...
NSF2
3 years, 5 months ago
I am leaning towards to B because of following keywords. “The solution must be extremely scalable and self-managing”
upvoted 1 times
...
scuzzy2010
3 years, 8 months ago
Close between B and C, but I am leaning towards B because CloudHSM is not "highly scalable without requiring continual management". In fact, to scale, you have to buy and attach more HSM modules (https://docs.aws.amazon.com/cloudhsm/latest/userguide/add-remove-hsm.html)
upvoted 5 times
...
Ponzy
3 years, 8 months ago
Answer is C 100% Please for those who vote for B kindly read this: https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html This is AWS itself. The command doesn't DELETE the key but it only makes it unusable while PendingDeletion state. This explanation Fails the question requirement of Deleteing immediately. Again, lets all compromise to go with CCCCCCCCCCCC
upvoted 2 times
EricR17
3 years, 8 months ago
This is incorrect. The link you referenced states that *if* the key is already in the PendingDeletion state, that the state of the key isn't changed. Deleting key material of an imported key is immediate: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html "When you import key material, you can specify an expiration date. When the key material expires, AWS KMS deletes the key material and the AWS KMS key becomes unusable. You can also delete key material on demand. Whether you wait for the key material to expire or you delete it manually, the effect is the same. AWS KMS deletes the key material, the KMS key's key state changes to pending import, and the KMS key is unusable. To use the KMS key again, you must reimport the same key material."
upvoted 3 times
...
...
sanjaym
3 years, 8 months ago
tough fight between B and C. I'll go with C.
upvoted 4 times
Gustava6272
3 years, 8 months ago
It is B , C does not meet this requirement "highly scalable without requiring continual management"
upvoted 2 times
...
...
Bharat7023
3 years, 8 months ago
The deleteKey command in key_mgmt_util deletes a key from the HSM. You can only delete one key at a time. Deleting one key in a key pair has no effect on the other key in the pair. Only the key owner can delete a key. Users who share the key can use it in cryptographic operations, but not delete it. Anser - C
upvoted 2 times
Daniel76
3 years, 8 months ago
I support C as the answer. One of the requirements in the question is - the key must be able to be deleted immediately. For B- although you can delete key material, but for the CMK itself you can only schedule a key deletion.
upvoted 2 times
...
EA_Practice
3 years, 8 months ago
what does "key pair" have to do with S3 encryption ?
upvoted 2 times
...
...
Larsson
3 years, 8 months ago
You say B but the key material might be in more places and could be re-imported
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...