ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 397 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 397
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A security engineer is evaluating a company’s use of AWS Key Management Service (AWS KMS). The security engineer must implement a hybrid solution with two sets of keys to meet the following requirements:

• Set 1: The company needs granular control over the keys so that the company can maintain a copy of the keys in the key management infrastructure and reimport the keys at any time. The company needs the ability to set the expiration period to 3 days for the keys.
• Set 2: No restrictions exist regarding immediate key deletion. A waiting period of 14 days is acceptable for keys to be marked deleted.

Which solution will meet these requirements?

  • A. Use imported keys for Set 1. Use AWS managed keys for Set 2. For Set 1, set an expiration period and manually delete the keys after the expiration period has elapsed.
  • B. Use imported keys for Set 1. Use AWS managed keys for Set 2. For Set 1, set an expiration period. AWS will automatically delete the keys after the expiration period has elapsed.
  • C. Use AWS managed keys for Set 1. Use imported keys for Set 2. For Set 1, set an expiration period and manually delete the keys after the expiration period has elapsed.
  • D. Use AWS managed keys for Set 1. Use imported keys for Set 2. For Set 1, set an expiration period. AWS will automatically delete the keys after the expiration period has elapsed.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by luisfsm_111 at Nov. 22, 2022, 1:13 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
rijub2022
Highly Voted 2 years, 1 month ago
Selected Answer: B
https://aws.amazon.com/kms/faqs/ “ You may set an expiration period for an imported key. AWS KMS will automatically delete the key material after the expiration period. You can also delete imported key material on demand. In both cases the key material itself is deleted but the KMS key reference in AWS KMS and associated metadata are retained so that the key material can be re-imported in the future. Keys generated by AWS KMS do not have an expiration time and cannot be deleted immediately; there is a mandatory 7 to 30 day wait period. All customer managed KMS keys, regardless of whether the key material was imported, can be manually disabled or scheduled for deletion. In this case the KMS key itself is deleted, not just the underlying key material.”
upvoted 6 times
...
Granwizzard
Most Recent 1 year, 10 months ago
Selected Answer: A
A is the correct one, please fix all the wrong answers.
upvoted 3 times
...
Green53
1 year, 10 months ago
Selected Answer: B
Both C and D are instantly out, you don't have granuluar control over AWS Managed Keys. For B, you can set an expiration period and AWS will automatically delete: https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-import-key-material.html When you import the key material for your KMS key, you can set an optional expiration date and time for the key material of up to 365 days from the import date. When imported key material expires, *AWS KMS* deletes it. This action changes the key state of the KMS key to PendingImport, which prevents it from being used in any cryptographic operation. To use the KMS key, you must reimport a copy of the original key material. So I would go B.
upvoted 1 times
...
Toptip
1 year, 11 months ago
Selected Answer: B
B for sure... AWS will deleted expired imported keys
upvoted 1 times
...
gerches
2 years ago
Selected Answer: A
imported keys cannot be automatically deleted
upvoted 3 times
...
awsguru1998
2 years, 2 months ago
A, you cannot delete set2 as they are aws managed
upvoted 1 times
...
SergioP
2 years, 2 months ago
Option B is not a viable solution because AWS does not automatically delete imported keys. , the correct it´s A
upvoted 3 times
...
secdaddy
2 years, 4 months ago
I agree B - Also I note that the Set 1 requirements specifically mentions 'reimport' and you can't re-import if you haven't imported to start with which eliminates C and D.
upvoted 2 times
...
tainh
2 years, 5 months ago
Selected Answer: B
https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html You can only schedule the deletion of a customer managed key. You cannot delete AWS managed keys or AWS owned keys.
upvoted 3 times
...
luisfsm_111
2 years, 5 months ago
Selected Answer: B
According to this information the only that applies is B: https://aws.amazon.com/kms/faqs/#:~:text=You%20may%20set%20an%20expiration%20period%20for%20an%20imported%20key.%20AWS%20KMS%20will%20automatically%20delete%20the%20key%20material%20after%20the%20expiration%20period.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago