A company is using an AWS KMS customer master key (CMK) with imported key material. The company references the CMK by its alias in the Java application to encrypt data. The CMK must be rotated every 6 months. What is the process to rotate the key?
A.
Enable automatic key rotation for the CMK, and specify a period of 6 months.
B.
Create a new CMK with new imported material, and update the key alias to point to the new CMK.
C.
Delete the current key material, and import new material into the existing CMK.
D.
Import a copy of the existing key material into a new CMK as a backup, and set the rotation schedule for 6 months.
Suggested Answer:A🗳️
Cryptographic best practices discourage extensive reuse of encryption keys. To create new cryptographic material for your AWS Key Management Service (AWS KMS) customer master keys (CMKs), you can create new CMKs, and then change your applications or aliases to use the new CMKs. Or, you can enable automatic key rotation for an existing CMK. When you enable automatic key rotation for a customer managed CMK, AWS KMS generates new cryptographic material for the CMK every year. AWS KMS also saves the CMK's older cryptographic material in perpetuity so it can be used to decrypt data that it encrypted. AWS KMS does not delete any rotated key material until you delete the CMK. Reference: https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
B.
When you import key material into a CMK, the CMK is permanently associated with that key material. You can reimport the same key material, but you cannot import different key material into that CMK. Also, you cannot enable automatic key rotation for a CMK with imported key material. However, you can manually rotate a CMK with imported key material.
https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html
The resource : https://aws.amazon.com/kms/faqs/ and the question in that FAQ has the answer in it .
Q: Can I rotate my keys?
Yes. You can choose to have AWS KMS automatically rotate CMKs every year, provided that those keys were generated within AWS KMS HSMs. Automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature. If you choose to import keys to AWS KMS or asymmetric keys or use a custom key store, you can manually rotate them by creating a new CMK and mapping an existing key alias from the old CMK to the new CMK.
In the same document at the very end it says
Unsupported CMK types. Automatic key rotation is not supported on the following types of CMKs, but you can rotate these CMKs manually.
Asymmetric CMKs
CMKs in custom key stores
CMKs that have imported key material
So - A is incorrect. that leaves us with B
I agree that this answer should be B. Automatic key rotation is set to change every year, whereas creating a new CMK allows you to customize the rotation. In this case 6 months.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
white_shadow
Highly Voted 2 years, 1 month agowahlbergusa
2 years agoawsnoob
Highly Voted 2 years, 1 month agogulu73
Most Recent 9 months agoRicardoD
2 years agosasquatchshrimp
2 years agoSam0_2000
2 years agoabhishek_m_86
2 years agojackdryan
2 years agoMFDOOM
2 years agowaterzhong
2 years agoAWS_Noob
2 years agoa_w_s
2 years agoJimmy5
2 years agoamo82
2 years agopleasespammelater
2 years agonewtoaws
2 years, 1 month agoKimle
2 years agoKa
2 years, 1 month ago