AWS Certified Security – Specialty — Question 223

A security engineer must develop an encryption tool for a company. The company requires a cryptographic solution that supports the ability to perform cryptographic erasure on all resources protected by the key material in 15 minutes or less.
Which Aws Key Management Service (AWS KMS) key solution will allow the security engineer to meet these requirements?

Answer options

• A. Use imported key material with CMK.
• B. Use an AWS KMS CMK.
• C. Use an AWS managed CMK.
• D. Use an AWS KMS customer managed CMK.

Correct answer: A

Explanation

The correct answer is A because using imported key material with a customer master key (CMK) allows for the quick deletion of keys, enabling cryptographic erasure within the required timeframe. The other options (B, C, D) do not provide the same level of control over key material, which is essential for meeting the 15-minute requirement for erasure.