AWS Certified Security – Specialty — Question 229

A development team is using an AWS Key Management Service (AWS KMS) CMK to try to encrypt and decrypt a secure string parameter from AWS Systems
Manager Parameter Store. However, the development team receives an error message on each attempt.
Which issues that are related to the CMK could be reasons for the error? (Choose two.)

Answer options

• A. The CMK is used in the attempt does not exist.
• B. The CMK is used in the attempt needs to be rotated.
• C. The CMK is used in the attempt is using the CMK's key ID instead of the CMK ARN.
• D. The CMK is used in the attempt is not enabled.
• E. The CMK is used in the attempt is using an alias.

Correct answer: A, D

Explanation

The correct answers are A and D. If the CMK does not exist, encryption and decryption attempts will fail, and if the CMK is not enabled, it cannot be used for these operations. Options B, C, and E are incorrect because key rotation, using the key ID instead of ARN, and using an alias do not directly prevent the CMK from being used to encrypt or decrypt data.