AWS Certified Developer – Associate (DVA-C02) — Question 456

A developer manages encryption keys in AWS Key Management Service (AWS KMS). The developer must ensure that all encryption keys can be deleted immediately when the keys are no longer required. The developer wants a solution that is highly available and does not require manual management for compute infrastructure.

Which solution will meet these requirements?

Answer options

• A. Use AWS KMS managed keys. When the keys are no longer required, schedule the keys for immediate deletion.
• B. Use customer managed keys with imported key material. When the keys are no longer required, delete the imported key material.
• C. Use customer managed keys. When the keys are no longer required, delete the key material.
• D. Use customer managed keys and an AWS CloudHSM key store. When the keys are no longer required, schedule the keys for immediate deletion.

Correct answer: B

Explanation

Deleting imported key material from a customer managed key in AWS KMS happens instantly, bypassing the mandatory 7-to-30-day waiting period required when scheduling the deletion of KMS-generated keys. Standard customer managed keys and AWS managed keys cannot have their key material deleted immediately. Using AWS CloudHSM is incorrect because it introduces manual management overhead for the HSM cluster infrastructure, failing the requirement for no manual compute management.