AWS Certified Security – Specialty — Question 131

An organizational must establish the ability to delete an AWS KMS Customer Master Key (CMK) within a 24-hour timeframe to keep it from being used for encrypt or decrypt operations.
Which of the following actions will address this requirement?

Answer options

• A. Manually rotate a key within KMS to create a new CMK immediately.
• B. Use the KMS import key functionality to execute a delete key operation.
• C. Use the schedule key deletion function within KMS to specify the minimum wait period for deletion.
• D. Change the KMS CMK alias to immediately prevent any services from using the CMK.

Correct answer: B

Explanation

The correct answer is B, as using the KMS import key functionality allows for immediate execution of a delete key operation. Option A does not address the deletion requirement but rather involves creating a new CMK. Option C involves scheduling a deletion, which does not meet the 24-hour timeframe. Option D can prevent use but does not delete the CMK.