AWS Certified Security – Specialty — Question 141

A Security Engineer accidentally deleted the imported key material in an AWS KMS CMK.
What should the Security Engineer do to restore the deleted key material?

Answer options

• A. Create a new CMK. Download a new wrapping key and a new import token to import the original key material.
• B. Create a new CMK. Use the original wrapping key and import token to import the original key material.
• C. Download a new wrapping key and a new import token. Import the original key material into the existing CMK.
• D. Use the original wrapping key and import token. Import the original key material into the existing CMK.

Correct answer: C

Explanation

The correct answer is C because downloading a new wrapping key and import token is necessary for importing key material into an existing CMK after deletion. Options A and B suggest creating a new CMK, which is not required if key material can be imported back into the existing CMK. Option D is incorrect as it does not mention downloading new wrapping keys or import tokens, which are essential for the import process.