AWS Certified Security – Specialty (SCS-C03) — Question 4

A security engineer is responding to an incident that is affecting an AWS account. The ID of the account is 1234156789012. The attack created workloads that are distributed across multiple AWS Regions.
The security engineer contains the attack. The security engineer removes all compute and storage resources from all affected Regions. However, the attacker also created an AWS KMS key. The key policy on the KMS key explicitly allows IAM principal kms:* permissions.
The key was scheduled to be deleted the previous day. However, the key is still enabled and usable. The key has an ARN of arn:aws;kms:us-east-2:123456789012:key/mrk-0bb0212cd9864fdea0dcamzo26efb5670. The security engineer must delete the key as quickly as possible.
Which solution will meet this requirement?

Answer options

• A. Log in to the account by using the account root user credentials. Re-issue the deletion request for the KMS key with a waiting period of 7 days.
• B. Identify the other Regions where the KMS key ID is present and schedule the key for deletion in 7 days.
• C. Update the IAM principal lo allow kms:* permissions on the KMS key ARN. Re-issue the deletion request for the KMS key with a waiting period of 7 days.
• D. Disable the KMS key. Re-issue the deletion request for the KMS key in 30 days.

Correct answer: B

Explanation

Option B is the correct choice because it addresses the requirement to delete the KMS key by scheduling its deletion in all affected Regions where it is present. The other options either do not effectively target the issue at hand (A and D) or would require unnecessary adjustments to permissions (C), which is not required to delete the key in this case.