Exam AWS Certified Security - Specialty topic 1 question 256 discussion

A. Customer key stores -> to delete the Keys immediately. Only customer managed CMKs can be stored and managed in an AWS KMS custom key store.

C. From https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html : AWS KMS does not support the following features in custom key stores. Asymmetric KMS keys Asymmetric data key pairs => Importing key material into KMS keys Automatic key rotation Multi-Region keys

Correct answer is C. Use KMS DEFAULT KEY STORE, set a KMS key, and import the key material into it.

C is correct we need the default store A is wrong because the question states it wants AWS KMS to manage the keys https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html

import the company's own key material --> default key store set an expiration date on the keys, and delete keys immediately, if needed. --> customer managed CMK I go for C

Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material. Import the company's keys and key material into the CMK.

Option **A** is the best choice for meeting the company's requirements. It involves configuring AWS KMS to use a custom key store, creating a customer managed CMK with no key material, and importing the company's keys and key material into the CMK. Option **C** involves configuring AWS KMS to use the default key store, creating a customer managed CMK with no key material, and importing the company's keys and key material into the CMK. While this option allows for the import of the company's own key material and the ability to set an expiration date on the keys, it does not meet the requirement of using a custom key store. In summary, option **A** is the best choice for meeting all of the company's requirements. It allows for the use of a custom key store, the import of the company's own key material, setting an expiration date on the keys, and deleting keys immediately if needed.

A: Configure AWS KMS and use a custom key store. Create a customer managed CMK with no key material. Import the company's keys and key material into the CMK. By using a custom key store, the company has full control over the key material and can import its own keys. The customer managed CMK allows for setting an expiration date on the keys, and if needed, the keys can be deleted immediately.

The correct answer is C due to the specific use cases mentioned by AWS documentation concerning the customer key store. AWS KMS supports two types of custom key stores. An AWS CloudHSM key store is an AWS KMS custom key store backed by an AWS CloudHSM cluster. When you create a KMS key in your AWS CloudHSM key store, AWS KMS generates a 256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric key in the associated AWS CloudHSM cluster. This key material never leaves your AWS CloudHSM clusters unencrypted. When you use a KMS key in AWS CloudHSM key store, the cryptographic operations are performed in the HSMs in the cluster. AWS CloudHSM clusters are backed by hardware security modules (HSMs) certified at FIPS 140-2 Level 3. An external key store is an AWS KMS custom key store backed by an external key manager outside of AWS that you own and control.

C. https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html

How can answer C comply with the "delete keys immediately" requirement?

For most users, the default AWS KMS key store, which is protected by FIPS 140-2 validated cryptographic modules, fulfills their security requirements. There is no need to add an extra layer of maintenance responsibility or a dependency on an additional service. However, you might consider creating a custom key store if your organization has any of the following requirements: Key material cannot be stored in a shared environment. Key material must be subject to a secondary, independent audit path. The HSMs that generate and store key material must be certified at FIPS 140-2 Level 3. https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html

C https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html

There is default key policy, there is no default key store.

How can it be A when the AWS documentation says that the deletion is not immediate ? If you need to delete a custom key store, you must first delete the KMS keys in the custom key store by scheduling their deletion and waiting until the grace period expires. https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html C

"C" is the answer https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-delete-key-material.html "A" does not satisfy the request of 'be[ing] deleted quickly if necessary." https://docs.aws.amazon.com/kms/latest/developerguide/delete-cmk-keystore.html

Custom key store = Cloud Hsm