AWS Certified Security – Specialty (SCS-C02) — Question 205

A company uses AWS Key Management Service (AWS KMS). During an attempt to attach an encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon EC2 instance, the attachment fails. The company discovers that a customer managed key has become unusable because the key material for the key was deleted. The company needs the data that is on the EBS volume.

A security engineer must recommend a solution to decrypt the EBS volume’s encrypted data key. The solution must also attach the volume to the EC2 instance.

Which solution will meet these requirements?

Answer options

• A. Import new key material into the key. Attach the EBS volume.
• B. Restore the EBS volume from a snapshot that was taken before the deletion of the key material.
• C. Reimport the same key material that originally was imported into the key. Attach the EBS volume.
• D. Create a new key. Import new key material. Attach the EBS volume.

Correct answer: C

Explanation

Option C is correct because reimporting the original key material allows the key to become usable again, enabling the decryption of the EBS volume. Options A and D involve introducing new key material, which does not help in recovering access to the existing encrypted data. Option B does not address the immediate need to decrypt the current volume, as it relies on restoring from a snapshot instead.