AWS Certified Developer – Associate — Question 415

A developer is using an AWS Key Management Service (AWS KMS) customer master key (CMK) with imported key material to encrypt data in Amazon S3. The developer accidentally deletes the key material of the CMK and is unable to decrypt the data.
How can the developer decrypt the data that was encrypted by the CMK?

Answer options

• A. Request support from AWS to recover the deleted key material.
• B. Create a new CMK. Use the new CMK to decrypt the data.
• C. Use the CMK without the key material.
• D. Reimport the same key material to the CMK.

Correct answer: D

Explanation

When importing key material into an AWS KMS CMK, AWS does not maintain a backup copy of the material, making AWS Support unable to recover it. To restore decryption capabilities, the developer must reimport the identical key material back into the same CMK. Creating a new CMK or attempting to decrypt without the key material will not work as the cryptographic keys must match exactly.